reliantit
asked on
Need assistance with VPN between Cisco 1841 and Pix - Remote location cannot access 2 internal subnets
I have a remote location that has a Cisco 1841 which has a VPN back to corporate where we have a Pix 515e. We have two internal subnets (192.168.0.* and 192.168.2.*) I need the Remote location to be able to access both subnets. Currently, remote location can see all 192.168.0.* I am extremely new at all of this!!
Here is a partial pix config:
: Written by enable_15 at 09:29:41.091 CDT Wed Oct 8 2008
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
...
fixup protocol dns maximum-length 4096
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol http 4112
fixup protocol http 8080
fixup protocol http 8089
fixup protocol http 8443
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
...
name 192.168.77.0 Oesa_Kmit
object-group service Base_Inet_dns tcp
port-object eq whois
port-object eq www
port-object eq domain
port-object eq smtp
port-object eq ldaps
port-object eq ftp
port-object eq https
port-object eq ldap
port-object eq 402
port-object eq 1935
port-object eq 401
port-object eq 43190
port-object eq 1680
port-object eq 4952
port-object eq 4951
port-object eq 4950
port-object eq 3829
port-object eq 1010
port-object eq 1759
port-object eq 1758
port-object eq 43189
port-object eq 4949
port-object range 10113 10115
port-object eq 8506
port-object eq 8510
object-group service NetBios_ports udp
port-object eq netbios-ns
port-object eq netbios-dgm
access-list inbound permit icmp any any
access-list inbound permit tcp any host 38.158.46.122 eq www
access-list inbound permit tcp any host 38.158.46.122 eq 3389
access-list inbound permit tcp any host 38.158.46.123 eq www
access-list inbound permit tcp any host 38.158.46.118 eq www
access-list inbound permit tcp any host 38.158.46.118 eq domain
access-list inbound permit udp any host 38.158.46.118 eq domain
access-list inbound permit tcp any host 38.158.46.121 eq domain
access-list inbound permit udp any host 38.158.46.121 eq domain
access-list inbound permit tcp any host 38.158.46.120 eq 9413
access-list inbound permit udp any host 38.158.46.120 eq 9413
access-list inbound permit tcp any host 38.158.46.119 eq smtp
access-list inbound permit tcp any host 38.158.46.119 eq pop3
access-list inbound permit tcp any host 38.158.46.119 eq www
access-list inbound permit tcp any host 38.158.46.119 eq https
access-list inbound remark IIS Server
access-list inbound permit tcp any host 38.158.46.117 eq www
access-list inbound permit esp any any
access-list inbound permit ah any any
access-list inbound permit udp any any eq isakmp
access-list inbound permit tcp any eq smtp any eq smtp
access-list inbound permit tcp any host 38.158.46.114 eq 6881
access-list inbound permit tcp any host 38.158.46.117 eq 8080
access-list inbound permit tcp any host 38.158.46.117 eq ftp
access-list inbound permit tcp any host 38.158.46.117 eq 402
access-list inbound permit udp host 38.158.46.113 host 38.158.46.118 eq syslog
access-list inbound permit udp any any eq syslog
access-list inbound permit udp host 38.158.46.113 host 192.168.0.5 eq syslog
access-list inbound permit tcp any host 38.158.46.125 object-group Base_Inet_dns
access-list inbound permit tcp any host 38.158.46.117 eq 16386
access-list inbound permit tcp any host 38.158.46.124 object-group Base_Inet_dns
access-list inbound permit tcp any host 38.158.46.126 object-group Base_Inet_dns
access-list inbound remark HMS_MPDQ_SERVER
access-list inbound permit tcp any host 38.158.46.116 object-group Base_Inet_dns
access-list inbound permit tcp any host 38.158.46.116 eq 3389
access-list inbound permit udp any host 38.158.46.116 eq www
access-list inbound permit tcp any host 38.158.46.117 eq 8530
access-list inbound permit tcp any host 38.158.46.115 object-group Base_Inet_dns
access-list inbound permit tcp any host 38.158.46.119 eq imap4
access-list inbound permit tcp any host 38.158.46.119 eq 993
access-list inbound permit udp any host 38.158.46.121 eq snmp
access-list inbound permit udp any host 38.158.46.121 eq snmptrap
access-list inbound permit tcp any host 38.158.46.124 eq 3389
access-list inbound permit udp host 26.17.14.206 host 38.158.46.121 eq tftp
access-list NONAT permit ip 192.168.0.0 255.255.255.0 10.100.100.0 255.255.255.0
access-list NONAT permit ip any 10.100.100.0 255.255.255.192
access-list NONAT permit ip 192.168.0.0 255.255.255.0 Oesa_Kmit 255.255.255.0
access-list NONAT permit ip 192.168.2.0 255.255.255.0 Oesa_Kmit 255.255.255.0
access-list NONAT permit ip 192.168.2.0 255.255.255.0 10.100.100.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 10.100.100.0 255.255.255.192
access-list P2P deny tcp any 128.121.20.0 255.255.255.240 eq www
access-list P2P deny tcp any 128.121.4.0 255.255.255.0 eq www
access-list P2P deny tcp any any eq 4662
access-list P2P permit ip any any
access-list outbound permit udp any any log
access-list outside_cryptomap_250 permit ip 192.168.0.0 255.255.255.0 Oesa_Kmit 255.255.255.0
access-list outside_cryptomap_250 remark Oesa_Kmit
access-list outside_cryptomap_250 permit ip 192.168.2.0 255.255.255.0 Oesa_Kmit 255.255.255.0
pager lines 24
logging on
logging timestamp
logging monitor errors
logging buffered informational
logging trap informational
logging history informational
logging facility 22
logging host inside 192.168.0.17
mtu outside 1500
mtu inside 1500
ip address outside 38.158.46.114 255.255.255.240
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNIPPOOL 10.100.100.1-10.100.100.50
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
pdm location 192.168.0.5 255.255.255.255 inside
pdm location 192.168.0.6 255.255.255.255 inside
pdm location 192.168.0.9 255.255.255.255 inside
pdm location 192.168.0.10 255.255.255.255 inside
pdm location 192.168.0.12 255.255.255.255 inside
pdm location 192.168.0.17 255.255.255.255 inside
pdm location 10.100.100.0 255.255.255.0 outside
pdm location 192.168.0.20 255.255.255.255 inside
pdm location 192.168.0.13 255.255.255.255 inside
pdm location 192.168.0.8 255.255.255.255 inside
pdm location 128.121.4.0 255.255.255.0 outside
pdm location 128.121.20.0 255.255.255.240 outside
pdm location 192.168.0.14 255.255.255.255 inside
pdm location 192.168.0.23 255.255.255.255 inside
pdm location 192.168.0.48 255.255.255.255 inside
pdm location 192.168.0.41 255.255.255.255 inside
pdm location 192.168.35.0 255.255.255.0 inside
pdm location 192.168.35.0 255.255.255.0 outside
pdm location 192.168.0.108 255.255.255.255 inside
pdm location 192.168.0.0 255.255.255.0 inside
pdm location 192.168.0.201 255.255.255.255 inside
pdm location 192.168.26.0 255.255.255.0 inside
pdm location 192.168.26.0 255.255.255.0 outside
pdm location 192.168.0.11 255.255.255.255 inside
pdm location Oesa_Kmit 255.255.255.0 inside
pdm location Oesa_Kmit 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 38.158.46.120 192.168.0.9 netmask 255.255.255.255 0 0
static (inside,outside) 38.158.46.121 192.168.0.17 dns netmask 255.255.255.255 0 0
static (inside,outside) 38.158.46.122 192.168.0.12 dns netmask 255.255.255.255 0 0
static (inside,outside) 38.158.46.123 192.168.0.10 netmask 255.255.255.255 0 0
static (inside,outside) 38.158.46.118 192.168.0.5 dns netmask 255.255.255.255 0 0
static (inside,outside) 38.158.46.119 192.168.0.8 dns netmask 255.255.255.255 0 0
static (inside,outside) 38.158.46.117 192.168.0.14 dns netmask 255.255.255.255 0 0
static (inside,outside) 38.158.46.126 192.168.0.215 dns netmask 255.255.255.255 0 0
static (inside,outside) 38.158.46.125 192.168.0.20 dns netmask 255.255.255.255 0 0
static (inside,outside) 38.158.46.116 192.168.0.201 dns netmask 255.255.255.255 0 0
static (inside,outside) 38.158.46.115 192.168.0.11 dns netmask 255.255.255.255 0 0
static (inside,outside) 38.158.46.124 192.168.0.203 dns netmask 255.255.255.255 0 0
access-group inbound in interface outside
access-group P2P in interface inside
conduit permit udp host 192.168.0.22 eq 9996 any
route outside 0.0.0.0 0.0.0.0 38.158.46.113 1
route inside 192.168.2.0 255.255.255.0 192.168.0.101 1
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server AuthInbound protocol radius
aaa-server AuthInbound max-failed-attempts 3
aaa-server AuthInbound deadtime 10
aaa-server AuthInbound (inside) host 192.168.0.20 cisco timeout 10
http server enable
http 192.168.0.0 255.255.255.0 inside
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
service resetinbound
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map outside_map 250 ipsec-isakmp
crypto map outside_map 250 match address outside_cryptomap_250
crypto map outside_map 250 set peer 26.17.14.206
crypto map outside_map 250 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 26.17.14.206 netmask 255.255.255.255 no-xauth no-config-mode
isakmp peer ip 65.26.45.34 no-xauth no-config-mode
isakmp identity address
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 3600
isakmp policy 40 authentication rsa-sig
isakmp policy 40 encryption des
isakmp policy 40 hash md5
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
vpngroup ***** address-pool VPNIPPOOL
vpngroup ***** dns-server 192.168.0.20 192.168.0.6
vpngroup ***** default-domain reliantholdingsllc.com
vpngroup ***** split-tunnel CLIENTVPN
vpngroup ***** idle-time 1800
vpngroup ***** password ********
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
management-access inside
console timeout 0
terminal width 80
and here is the remote config
Using 5800 out of 196600 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Oesa_Kmit
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication ppp default local
!
aaa session-id common
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
ip dhcp pool POOL-DHCP
network 192.168.75.0 255.255.255.0
default-router 192.168.75.1
dns-server 192.168.0.6 192.168.0.20 12.127.17.72 12.127.16.68
domain-name headquarters
!
!
ip domain name ****
ip name-server 12.127.17.72
ip name-server 12.127.16.68
vpdn enable
!
vpdn-group RELIANTOD-VPN
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
!
!
!
crypto pki trustpoint TP-self-signed-1082382151
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi cate-10823 82151
revocation-check none
rsakeypair TP-self-signed-1082382151
!
!
crypto pki certificate chain TP-self-signed-1082382151
certificate self-signed 01 nvram:IOS-Self-Sig#3101.ce r
username **** password 0 ***********
!
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
lifetime 3600
crypto isakmp key oesa_kmit address 38.158.46.114 no-xauth
!
!
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
!
crypto map Oesa_Kmit 10 ipsec-isakmp
set peer 38.158.46.114
set transform-set ESP-DES-MD5
match address vpn_tunnel
!
!
!
interface FastEthernet0/0
description NTS LAN Connection
no ip address
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description Local Internetwork
ip address 192.168.75.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
ip virtual-reassembly
encapsulation frame-relay IETF
frame-relay lmi-type ansi
!
interface Serial0/0/0.100 point-to-point
ip address 26.17.14.206 255.255.255.252
ip nat outside
ip virtual-reassembly
frame-relay interface-dlci 100 IETF
crypto map Oesa_Kmit
!
interface Virtual-Template1
ip unnumbered FastEthernet0/1
peer default ip address pool defaultpool
ppp encrypt mppe auto required
ppp authentication ms-chap ms-chap-v2
!
router rip
version 2
passive-interface Serial0/0/0
network 192.168.75.0
no auto-summary
!
ip local pool defaultpool 192.168.75.170 192.168.75.180
ip classless
no ip forward-protocol udp tftp
no ip forward-protocol udp nameserver
no ip forward-protocol udp domain
no ip forward-protocol udp time
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp tacacs
ip route 0.0.0.0 0.0.0.0 26.17.14.205
!
no ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map nonat interface Serial0/0/0.100 overload
ip nat inside source static tcp 192.168.75.150 3389 26.17.14.206 3389 extendable
!
ip access-list extended NAT
deny ip 192.168.75.0 0.0.0.255 192.168.0.0 0.0.0.255
deny ip 10.100.100.0 0.0.0.255 192.168.0.0 0.0.0.255
permit ip 10.100.100.0 0.0.0.255 any
permit ip 192.168.75.0 0.0.0.255 any
deny ip 192.168.75.0 0.0.0.255 192.168.2.0 0.0.0.255
deny ip 10.100.100.0 0.0.0.255 192.168.2.0 0.0.0.255
ip access-list extended vpn_tunnel
permit ip 192.168.75.0 0.0.0.255 192.168.0.0 0.0.0.255
permit ip 192.168.75.0 0.0.0.255 192.168.2.0 0.0.0.255
!
access-list 60 permit 38.158.46.121
access-list 60 deny any
snmp-server community public RO
snmp-server community topsecret RW 60
snmp-server location Oesa_Kmit
snmp-server enable traps tty
route-map nonat permit 10
match ip address NAT
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input telnet ssh
!
end
Here is a partial pix config:
: Written by enable_15 at 09:29:41.091 CDT Wed Oct 8 2008
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
...
fixup protocol dns maximum-length 4096
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol http 4112
fixup protocol http 8080
fixup protocol http 8089
fixup protocol http 8443
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
...
name 192.168.77.0 Oesa_Kmit
object-group service Base_Inet_dns tcp
port-object eq whois
port-object eq www
port-object eq domain
port-object eq smtp
port-object eq ldaps
port-object eq ftp
port-object eq https
port-object eq ldap
port-object eq 402
port-object eq 1935
port-object eq 401
port-object eq 43190
port-object eq 1680
port-object eq 4952
port-object eq 4951
port-object eq 4950
port-object eq 3829
port-object eq 1010
port-object eq 1759
port-object eq 1758
port-object eq 43189
port-object eq 4949
port-object range 10113 10115
port-object eq 8506
port-object eq 8510
object-group service NetBios_ports udp
port-object eq netbios-ns
port-object eq netbios-dgm
access-list inbound permit icmp any any
access-list inbound permit tcp any host 38.158.46.122 eq www
access-list inbound permit tcp any host 38.158.46.122 eq 3389
access-list inbound permit tcp any host 38.158.46.123 eq www
access-list inbound permit tcp any host 38.158.46.118 eq www
access-list inbound permit tcp any host 38.158.46.118 eq domain
access-list inbound permit udp any host 38.158.46.118 eq domain
access-list inbound permit tcp any host 38.158.46.121 eq domain
access-list inbound permit udp any host 38.158.46.121 eq domain
access-list inbound permit tcp any host 38.158.46.120 eq 9413
access-list inbound permit udp any host 38.158.46.120 eq 9413
access-list inbound permit tcp any host 38.158.46.119 eq smtp
access-list inbound permit tcp any host 38.158.46.119 eq pop3
access-list inbound permit tcp any host 38.158.46.119 eq www
access-list inbound permit tcp any host 38.158.46.119 eq https
access-list inbound remark IIS Server
access-list inbound permit tcp any host 38.158.46.117 eq www
access-list inbound permit esp any any
access-list inbound permit ah any any
access-list inbound permit udp any any eq isakmp
access-list inbound permit tcp any eq smtp any eq smtp
access-list inbound permit tcp any host 38.158.46.114 eq 6881
access-list inbound permit tcp any host 38.158.46.117 eq 8080
access-list inbound permit tcp any host 38.158.46.117 eq ftp
access-list inbound permit tcp any host 38.158.46.117 eq 402
access-list inbound permit udp host 38.158.46.113 host 38.158.46.118 eq syslog
access-list inbound permit udp any any eq syslog
access-list inbound permit udp host 38.158.46.113 host 192.168.0.5 eq syslog
access-list inbound permit tcp any host 38.158.46.125 object-group Base_Inet_dns
access-list inbound permit tcp any host 38.158.46.117 eq 16386
access-list inbound permit tcp any host 38.158.46.124 object-group Base_Inet_dns
access-list inbound permit tcp any host 38.158.46.126 object-group Base_Inet_dns
access-list inbound remark HMS_MPDQ_SERVER
access-list inbound permit tcp any host 38.158.46.116 object-group Base_Inet_dns
access-list inbound permit tcp any host 38.158.46.116 eq 3389
access-list inbound permit udp any host 38.158.46.116 eq www
access-list inbound permit tcp any host 38.158.46.117 eq 8530
access-list inbound permit tcp any host 38.158.46.115 object-group Base_Inet_dns
access-list inbound permit tcp any host 38.158.46.119 eq imap4
access-list inbound permit tcp any host 38.158.46.119 eq 993
access-list inbound permit udp any host 38.158.46.121 eq snmp
access-list inbound permit udp any host 38.158.46.121 eq snmptrap
access-list inbound permit tcp any host 38.158.46.124 eq 3389
access-list inbound permit udp host 26.17.14.206 host 38.158.46.121 eq tftp
access-list NONAT permit ip 192.168.0.0 255.255.255.0 10.100.100.0 255.255.255.0
access-list NONAT permit ip any 10.100.100.0 255.255.255.192
access-list NONAT permit ip 192.168.0.0 255.255.255.0 Oesa_Kmit 255.255.255.0
access-list NONAT permit ip 192.168.2.0 255.255.255.0 Oesa_Kmit 255.255.255.0
access-list NONAT permit ip 192.168.2.0 255.255.255.0 10.100.100.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 10.100.100.0 255.255.255.192
access-list P2P deny tcp any 128.121.20.0 255.255.255.240 eq www
access-list P2P deny tcp any 128.121.4.0 255.255.255.0 eq www
access-list P2P deny tcp any any eq 4662
access-list P2P permit ip any any
access-list outbound permit udp any any log
access-list outside_cryptomap_250 permit ip 192.168.0.0 255.255.255.0 Oesa_Kmit 255.255.255.0
access-list outside_cryptomap_250 remark Oesa_Kmit
access-list outside_cryptomap_250 permit ip 192.168.2.0 255.255.255.0 Oesa_Kmit 255.255.255.0
pager lines 24
logging on
logging timestamp
logging monitor errors
logging buffered informational
logging trap informational
logging history informational
logging facility 22
logging host inside 192.168.0.17
mtu outside 1500
mtu inside 1500
ip address outside 38.158.46.114 255.255.255.240
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNIPPOOL 10.100.100.1-10.100.100.50
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
pdm location 192.168.0.5 255.255.255.255 inside
pdm location 192.168.0.6 255.255.255.255 inside
pdm location 192.168.0.9 255.255.255.255 inside
pdm location 192.168.0.10 255.255.255.255 inside
pdm location 192.168.0.12 255.255.255.255 inside
pdm location 192.168.0.17 255.255.255.255 inside
pdm location 10.100.100.0 255.255.255.0 outside
pdm location 192.168.0.20 255.255.255.255 inside
pdm location 192.168.0.13 255.255.255.255 inside
pdm location 192.168.0.8 255.255.255.255 inside
pdm location 128.121.4.0 255.255.255.0 outside
pdm location 128.121.20.0 255.255.255.240 outside
pdm location 192.168.0.14 255.255.255.255 inside
pdm location 192.168.0.23 255.255.255.255 inside
pdm location 192.168.0.48 255.255.255.255 inside
pdm location 192.168.0.41 255.255.255.255 inside
pdm location 192.168.35.0 255.255.255.0 inside
pdm location 192.168.35.0 255.255.255.0 outside
pdm location 192.168.0.108 255.255.255.255 inside
pdm location 192.168.0.0 255.255.255.0 inside
pdm location 192.168.0.201 255.255.255.255 inside
pdm location 192.168.26.0 255.255.255.0 inside
pdm location 192.168.26.0 255.255.255.0 outside
pdm location 192.168.0.11 255.255.255.255 inside
pdm location Oesa_Kmit 255.255.255.0 inside
pdm location Oesa_Kmit 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 38.158.46.120 192.168.0.9 netmask 255.255.255.255 0 0
static (inside,outside) 38.158.46.121 192.168.0.17 dns netmask 255.255.255.255 0 0
static (inside,outside) 38.158.46.122 192.168.0.12 dns netmask 255.255.255.255 0 0
static (inside,outside) 38.158.46.123 192.168.0.10 netmask 255.255.255.255 0 0
static (inside,outside) 38.158.46.118 192.168.0.5 dns netmask 255.255.255.255 0 0
static (inside,outside) 38.158.46.119 192.168.0.8 dns netmask 255.255.255.255 0 0
static (inside,outside) 38.158.46.117 192.168.0.14 dns netmask 255.255.255.255 0 0
static (inside,outside) 38.158.46.126 192.168.0.215 dns netmask 255.255.255.255 0 0
static (inside,outside) 38.158.46.125 192.168.0.20 dns netmask 255.255.255.255 0 0
static (inside,outside) 38.158.46.116 192.168.0.201 dns netmask 255.255.255.255 0 0
static (inside,outside) 38.158.46.115 192.168.0.11 dns netmask 255.255.255.255 0 0
static (inside,outside) 38.158.46.124 192.168.0.203 dns netmask 255.255.255.255 0 0
access-group inbound in interface outside
access-group P2P in interface inside
conduit permit udp host 192.168.0.22 eq 9996 any
route outside 0.0.0.0 0.0.0.0 38.158.46.113 1
route inside 192.168.2.0 255.255.255.0 192.168.0.101 1
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server AuthInbound protocol radius
aaa-server AuthInbound max-failed-attempts 3
aaa-server AuthInbound deadtime 10
aaa-server AuthInbound (inside) host 192.168.0.20 cisco timeout 10
http server enable
http 192.168.0.0 255.255.255.0 inside
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
service resetinbound
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map outside_map 250 ipsec-isakmp
crypto map outside_map 250 match address outside_cryptomap_250
crypto map outside_map 250 set peer 26.17.14.206
crypto map outside_map 250 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 26.17.14.206 netmask 255.255.255.255 no-xauth no-config-mode
isakmp peer ip 65.26.45.34 no-xauth no-config-mode
isakmp identity address
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 3600
isakmp policy 40 authentication rsa-sig
isakmp policy 40 encryption des
isakmp policy 40 hash md5
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
vpngroup ***** address-pool VPNIPPOOL
vpngroup ***** dns-server 192.168.0.20 192.168.0.6
vpngroup ***** default-domain reliantholdingsllc.com
vpngroup ***** split-tunnel CLIENTVPN
vpngroup ***** idle-time 1800
vpngroup ***** password ********
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
management-access inside
console timeout 0
terminal width 80
and here is the remote config
Using 5800 out of 196600 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Oesa_Kmit
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication ppp default local
!
aaa session-id common
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
ip dhcp pool POOL-DHCP
network 192.168.75.0 255.255.255.0
default-router 192.168.75.1
dns-server 192.168.0.6 192.168.0.20 12.127.17.72 12.127.16.68
domain-name headquarters
!
!
ip domain name ****
ip name-server 12.127.17.72
ip name-server 12.127.16.68
vpdn enable
!
vpdn-group RELIANTOD-VPN
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
!
!
!
crypto pki trustpoint TP-self-signed-1082382151
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-1082382151
!
!
crypto pki certificate chain TP-self-signed-1082382151
certificate self-signed 01 nvram:IOS-Self-Sig#3101.ce
username **** password 0 ***********
!
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
lifetime 3600
crypto isakmp key oesa_kmit address 38.158.46.114 no-xauth
!
!
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
!
crypto map Oesa_Kmit 10 ipsec-isakmp
set peer 38.158.46.114
set transform-set ESP-DES-MD5
match address vpn_tunnel
!
!
!
interface FastEthernet0/0
description NTS LAN Connection
no ip address
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description Local Internetwork
ip address 192.168.75.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
ip virtual-reassembly
encapsulation frame-relay IETF
frame-relay lmi-type ansi
!
interface Serial0/0/0.100 point-to-point
ip address 26.17.14.206 255.255.255.252
ip nat outside
ip virtual-reassembly
frame-relay interface-dlci 100 IETF
crypto map Oesa_Kmit
!
interface Virtual-Template1
ip unnumbered FastEthernet0/1
peer default ip address pool defaultpool
ppp encrypt mppe auto required
ppp authentication ms-chap ms-chap-v2
!
router rip
version 2
passive-interface Serial0/0/0
network 192.168.75.0
no auto-summary
!
ip local pool defaultpool 192.168.75.170 192.168.75.180
ip classless
no ip forward-protocol udp tftp
no ip forward-protocol udp nameserver
no ip forward-protocol udp domain
no ip forward-protocol udp time
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp tacacs
ip route 0.0.0.0 0.0.0.0 26.17.14.205
!
no ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map nonat interface Serial0/0/0.100 overload
ip nat inside source static tcp 192.168.75.150 3389 26.17.14.206 3389 extendable
!
ip access-list extended NAT
deny ip 192.168.75.0 0.0.0.255 192.168.0.0 0.0.0.255
deny ip 10.100.100.0 0.0.0.255 192.168.0.0 0.0.0.255
permit ip 10.100.100.0 0.0.0.255 any
permit ip 192.168.75.0 0.0.0.255 any
deny ip 192.168.75.0 0.0.0.255 192.168.2.0 0.0.0.255
deny ip 10.100.100.0 0.0.0.255 192.168.2.0 0.0.0.255
ip access-list extended vpn_tunnel
permit ip 192.168.75.0 0.0.0.255 192.168.0.0 0.0.0.255
permit ip 192.168.75.0 0.0.0.255 192.168.2.0 0.0.0.255
!
access-list 60 permit 38.158.46.121
access-list 60 deny any
snmp-server community public RO
snmp-server community topsecret RW 60
snmp-server location Oesa_Kmit
snmp-server enable traps tty
route-map nonat permit 10
match ip address NAT
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input telnet ssh
!
end
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER