troubleshooting Question

Cisco Site to Site VPN Blocking HTTP traffic to remote Site

Avatar of tmcgr
tmcgrFlag for Cyprus asked on
RoutersVPNInternet Protocol Security
5 Comments1 Solution738 ViewsLast Modified:
Hello Experts ,

We have at our company 2 different Sites.
Both sites are using cisco 881 with same IOS .
The problem is that from Site 1 we cannot browse any http traffic to Site 2
but from Site 2 we can browse everything At Site1
Bellow are the Running Configs.
Thanks in advance

Site1



Building configuration...



Current configuration : 14263 bytes

!

! Last configuration change at 15:04:11 PCTime Mon Sep 27 2010 by tmc

! NVRAM config last updated at 14:57:02 PCTime Mon Sep 27 2010 by tmc

!

version 15.1

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname cygw

!

boot-start-marker

boot-end-marker

!

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200

enable secret 5 xxxxxx

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login ciscocp_vpn_xauth_ml_1 local

aaa authorization exec default local

aaa authorization network ciscocp_vpn_group_ml_1 local

!

!

!

!

!

aaa session-id common

memory-size iomem 10

clock timezone PCTime 2 0

clock summer-time PCTime date Mar 30 2003 3:00 Oct 26 2003 4:00

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-3946890528

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-3946890528

 revocation-check none

!

!


 

no ip source-route

!

!

!

!

!

ip cef

no ip bootp server

ip domain lookup source-interface Vlan1

ip domain name aecsoft.int

ip name-server 10.0.0.13

ip name-server 10.0.0.14

ip name-server 10.0.0.16

ip name-server 192.168.1.13

ip name-server 192.168.1.14

ip port-map user-protocol--1 port tcp 8080

no ipv6 cef

!

!

license udi pid CISCO881-K9 sn xxxxxxx

!

!

username tmc privilege 15 secret 5 xxxxxx

username chris privilege 5 secret 5 xxxxxx

!

!

!

!

ip tcp synwait-time 10

!

class-map type inspect match-all sdm-cls-VPNOutsideToInside-1

 match access-group 105

class-map type inspect match-any PPTP

 match protocol pptp

 match access-group name GRE

class-map type inspect match-all sdm-nat-user-protocol--1-1

 match access-group 110

 match protocol user-protocol--1

class-map type inspect match-all sdm-nat-smtp-1

 match access-group 106

 match protocol smtp

class-map type inspect match-all SDM_GRE

 match access-group name SDM_GRE

class-map type inspect match-any CCP_PPTP

 match class-map SDM_GRE

class-map type inspect match-any SDM_AH

 match access-group name SDM_AH

class-map type inspect match-any ccp-skinny-inspect

 match protocol skinny

class-map type inspect match-any SDM_ESP

 match access-group name SDM_ESP

class-map type inspect match-any SDM_VPN_TRAFFIC

 match protocol isakmp

 match protocol ipsec-msft

 match class-map SDM_AH

 match class-map SDM_ESP

class-map type inspect match-all SDM_VPN_PT

 match access-group 104

 match class-map SDM_VPN_TRAFFIC

class-map type inspect match-all sdm-nat-pptp-1

 match access-group 109

 match protocol pptp

 match class-map PPTP

class-map type inspect match-any ccp-cls-insp-traffic

 match protocol pptp

 match protocol cuseeme

 match protocol dns

 match protocol ftp

 match protocol https

 match protocol icmp

 match protocol imap

 match protocol pop3

 match protocol netshow

 match protocol shell

 match protocol realmedia

 match protocol rtsp

 match protocol smtp

 match protocol sql-net

 match protocol streamworks

 match protocol tftp

 match protocol vdolive

 match protocol tcp

 match protocol udp

class-map type inspect match-all ccp-insp-traffic

 match class-map ccp-cls-insp-traffic

class-map type inspect match-any SDM_IP

 match access-group name SDM_IP

class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC

 match protocol isakmp

 match protocol ipsec-msft

 match class-map SDM_AH

 match class-map SDM_ESP

class-map type inspect match-all SDM_EASY_VPN_SERVER_PT

 match class-map SDM_EASY_VPN_SERVER_TRAFFIC

class-map type inspect match-any ccp-h323nxg-inspect

 match protocol h323-nxg

class-map type inspect match-any ccp-cls-icmp-access

 match protocol icmp

 match protocol tcp

 match protocol udp

class-map type inspect match-any ccp-h225ras-inspect

 match protocol h225ras

class-map type inspect match-any ccp-h323annexe-inspect

 match protocol h323-annexe

class-map type inspect match-any ccp-h323-inspect

 match protocol h323

class-map type inspect match-all ccp-invalid-src

 match access-group 103

class-map type inspect match-all ccp-icmp-access

 match class-map ccp-cls-icmp-access

class-map type inspect match-any ccp-sip-inspect

 match protocol sip

class-map type inspect match-all sdm-nat-https-2

 match access-group 108

 match protocol https

class-map type inspect match-all sdm-nat-https-1

 match access-group 107

 match protocol https

class-map type inspect match-all ccp-protocol-http

 match protocol http

!

!

policy-map type inspect ccp-permit-icmpreply

 class type inspect ccp-icmp-access

  inspect

 class class-default

  pass

policy-map type inspect sdm-pol-VPNOutsideToInside-1

 class type inspect sdm-cls-VPNOutsideToInside-1

  inspect

 class type inspect sdm-nat-smtp-1

  inspect

 class type inspect sdm-nat-https-1

  inspect

 class type inspect sdm-nat-https-2

  inspect

 class type inspect sdm-nat-pptp-1

  inspect

 class type inspect sdm-nat-user-protocol--1-1

  inspect

 class type inspect CCP_PPTP

  pass

 class class-default

  drop log

policy-map type inspect ccp-inspect

 class type inspect ccp-invalid-src

  drop log

 class type inspect ccp-protocol-http

  inspect

 class type inspect ccp-insp-traffic

  inspect

 class type inspect ccp-sip-inspect

  inspect

 class type inspect ccp-h323-inspect

  inspect

 class type inspect ccp-h323annexe-inspect

  inspect

 class type inspect ccp-h225ras-inspect

  inspect

 class type inspect ccp-h323nxg-inspect

  inspect

 class type inspect ccp-skinny-inspect

  inspect

 class class-default

  drop

policy-map type inspect ccp-permit

 class type inspect SDM_EASY_VPN_SERVER_PT

  pass

 class type inspect SDM_VPN_PT

  pass

 class class-default

  drop

policy-map type inspect sdm-permit-ip

 class type inspect SDM_IP

  pass

 class class-default

  drop log

!

zone security ezvpn-zone

zone security out-zone

zone security in-zone

zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone

 service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone

 service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone

 service-policy type inspect sdm-permit-ip

zone-pair security ccp-zp-self-out source self destination out-zone

 service-policy type inspect ccp-permit-icmpreply

zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone

 service-policy type inspect sdm-permit-ip

zone-pair security ccp-zp-in-out source in-zone destination out-zone

 service-policy type inspect ccp-inspect

zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone

 service-policy type inspect sdm-pol-VPNOutsideToInside-1

zone-pair security ccp-zp-out-self source out-zone destination self

 service-policy type inspect ccp-permit

!

!

crypto isakmp policy 1

 encr 3des

 authentication pre-share

 group 2

crypto isakmp key xxxxxx address xxxxxx

!

crypto isakmp client configuration group xxxxxx

 key xxxxxxx

 dns 10.0.0.13 10.0.0.14

 domain xxxxxx

 pool SDM_POOL_1

 acl 102

 include-local-lan

 backup-gateway xxxxxxxx

crypto isakmp profile ciscocp-ike-profile-1

   match identity group xxxxxxxx

   client authentication list ciscocp_vpn_xauth_ml_1

   isakmp authorization list ciscocp_vpn_group_ml_1

   client configuration address respond

   virtual-template 1

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

!

crypto ipsec profile CiscoCP_Profile1

 set transform-set ESP-3DES-SHA1

 set isakmp-profile ciscocp-ike-profile-1

!

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

 description Tunnel toxxxxxxx

 set peer xxxxxxx

 set transform-set ESP-3DES-SHA

 match address 100

!

!

!

!

!

interface Null0

 no ip unreachables

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

 description $ETH-WAN$$FW_OUTSIDE$

 ip address xxxxxxxxxx

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip nbar protocol-discovery

 ip flow ingress

 ip flow egress

 ip nat outside

 ip virtual-reassembly in

 zone-member security out-zone

 duplex auto

 speed auto

 crypto map SDM_CMAP_1

!

interface Virtual-Template1 type tunnel

 ip unnumbered FastEthernet4

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip flow ingress

 zone-member security ezvpn-zone

 tunnel mode ipsec ipv4

 tunnel protection ipsec profile CiscoCP_Profile1

!

interface Vlan1

 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$

 ip address 10.0.0.254 255.255.255.0

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip nbar protocol-discovery

 ip flow ingress

 ip flow egress

 ip nat inside

 ip virtual-reassembly in

 zone-member security in-zone

 ip tcp adjust-mss 1452

!

ip local pool SDM_POOL_1 10.0.9.1 10.0.9.254

ip forward-protocol nd

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip flow-top-talkers

 top 100

 sort-by bytes

 cache-timeout 65000

!

ip nat inside source static tcp 10.0.0.4 25 interface FastEthernet4 25

ip nat inside source static tcp 10.0.0.1 443 interface FastEthernet4 443

ip nat inside source static tcp 10.0.0.14 1723 interface FastEthernet4 1723

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload

ip nat inside source static tcp 10.0.0.250 8080 xxxxx 8080 extendable

ip nat inside source static tcp 10.0.0.16 443 xxxx 443 extendable

ip route 0.0.0.0 0.0.0.0 xxxxxxxx

!

ip access-list extended GRE

 permit gre any any

ip access-list extended SDM_AH

 remark CCP_ACL Category=1

 permit ahp any any

ip access-list extended SDM_ESP

 remark CCP_ACL Category=1

 permit esp any any

ip access-list extended SDM_GRE

 remark CCP_ACL Category=1

 permit gre any any

ip access-list extended SDM_IP

 remark CCP_ACL Category=1

 permit ip any any

!

logging esm config

logging trap debugging

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 10.0.0.0 0.0.0.255

access-list 23 permit 10.0.0.0 0.0.0.255

access-list 100 remark CCP_ACL Category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 remark CCP_ACL Category=2

access-list 101 remark IPSec Rule

access-list 101 deny   ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 permit ip 10.0.0.0 0.0.0.255 any

access-list 102 remark CCP_ACL Category=4

access-list 102 permit ip 10.0.0.0 0.0.0.255 any

access-list 103 remark CCP_ACL Category=128

access-list 103 permit ip host 255.255.255.255 any

access-list 103 permit ip 127.0.0.0 0.255.255.255 any

access-list 103 permit ip xxxxxx 0.0.0.7 any

access-list 104 remark CCP_ACL Category=128

access-list 104 permit ip host xxxxxx any

access-list 105 remark CCP_ACL Category=0

access-list 105 remark IPSec Rule

access-list 105 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255

access-list 106 remark CCP_ACL Category=0

access-list 106 permit ip any host 10.0.0.4

access-list 107 remark CCP_ACL Category=0

access-list 107 permit ip any host 10.0.0.16

access-list 108 remark CCP_ACL Category=0

access-list 108 permit ip any host 10.0.0.1

access-list 109 remark CCP_ACL Category=0

access-list 109 permit ip any host 10.0.0.14

access-list 110 remark CCP_ACL Category=0

access-list 110 permit ip any host 10.0.0.250

no cdp run



!

!

!

!

route-map SDM_RMAP_1 permit 1

 match ip address 101

!

!

!

control-plane

!



^C

banner login ^CAll Access Monitored^C

!

line con 0

 no modem enable

 transport output telnet

line aux 0

 transport output telnet

line vty 0 4

 access-class 23 in

 transport input telnet ssh

!

scheduler allocate 4000 1000

scheduler interval 500

end



Site 2



gwath#term len 0
gwath#show run
Building configuration...

Current configuration : 14280 bytes
!
! Last configuration change at 15:03:39 PCTime Mon Sep 27 2010 by tmc
! NVRAM config last updated at 15:13:03 PCTime Mon Sep 27 2010 by tmc
!
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname gwath
!
boot-start-marker
boot-end-marker
!
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 warnings
enable secret 5 xxxxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
clock timezone PCTime 2 0
clock summer-time PCTime date Mar 30 2003 3:00 Oct 26 2003 4:00
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-3823012008
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3823012008
 revocation-check none
!
!
no ip source-route
!
!
!
!
!
ip cef
no ip bootp server
ip domain lookup source-interface Vlan1
ip domain name aecsoft.int
ip name-server 192.168.1.13
ip name-server 192.168.1.14
ip name-server 10.0.0.13
ip name-server 10.0.0.14
ip name-server 10.0.0.16
ip port-map user-protocol--1 port tcp 3389
no ipv6 cef
!
!
license udi pid CISCO881-K9 sn xxxxx
!
!
username tmc privilege 15 secret 5 xxxxx
!
!
!
!
ip tcp synwait-time 10
!
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
 match access-group 105
class-map type inspect match-all sdm-nat-user-protocol--1-1
 match access-group 106
 match protocol user-protocol--1
class-map type inspect match-all SDM_GRE
 match access-group name SDM_GRE
class-map type inspect match-any CCP_PPTP
 match class-map SDM_GRE
class-map type inspect match-any SDM_AH
 match access-group name SDM_AH
class-map type inspect match-any ccp-skinny-inspect
 match protocol skinny
class-map type inspect match-any SDM_ESP
 match access-group name SDM_ESP
class-map type inspect match-any SDM_VPN_TRAFFIC
 match protocol isakmp
 match protocol ipsec-msft
 match class-map SDM_AH
 match class-map SDM_ESP
class-map type inspect match-all SDM_VPN_PT
 match access-group 104
 match class-map SDM_VPN_TRAFFIC
class-map type inspect match-all sdm-nat-pptp-1
 match access-group 107
 match protocol pptp
class-map type inspect match-any ccp-cls-insp-traffic
 match protocol pptp
 match protocol cuseeme
 match protocol dns
 match protocol ftp
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all ccp-insp-traffic
 match class-map ccp-cls-insp-traffic
class-map type inspect match-any SDM_IP
 match access-group name SDM_IP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
 match protocol isakmp
 match protocol ipsec-msft
 match class-map SDM_AH
 match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
 match class-map SDM_EASY_VPN_SERVER_TRAFFIC
class-map type inspect match-any ccp-h323nxg-inspect
 match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
 match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
 match protocol h323-annexe
class-map type inspect match-any ccp-h323-inspect
 match protocol h323
class-map type inspect match-all ccp-invalid-src
 match access-group 103
class-map type inspect match-all ccp-icmp-access
 match class-map ccp-cls-icmp-access
class-map type inspect match-any ccp-sip-inspect
 match protocol sip
class-map type inspect match-all ccp-protocol-http
 match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
 class type inspect ccp-icmp-access
  inspect
 class class-default
  pass
policy-map type inspect sdm-pol-VPNOutsideToInside-1
 class type inspect sdm-cls-VPNOutsideToInside-1
  inspect
 class type inspect sdm-nat-user-protocol--1-1
  inspect
 class type inspect sdm-nat-pptp-1
  inspect
 class type inspect CCP_PPTP
  pass
 class class-default
  drop log
policy-map type inspect ccp-inspect
 class type inspect ccp-invalid-src
  drop log
 class type inspect ccp-protocol-http
  inspect
 class type inspect ccp-insp-traffic
  inspect
 class type inspect ccp-sip-inspect
  inspect
 class type inspect ccp-h323-inspect
  inspect
 class type inspect ccp-h323annexe-inspect
  inspect
 class type inspect ccp-h225ras-inspect
  inspect
 class type inspect ccp-h323nxg-inspect
  inspect
 class type inspect ccp-skinny-inspect
  inspect
 class class-default
  drop
policy-map type inspect ccp-permit
 class type inspect SDM_EASY_VPN_SERVER_PT
  pass
 class type inspect SDM_VPN_PT
  pass
 class class-default
  drop
policy-map type inspect sdm-permit-ip
 class type inspect SDM_IP
  pass
 class class-default
  drop log
!
zone security ezvpn-zone
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
 service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
 service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
 service-policy type inspect sdm-permit-ip
zone-pair security ccp-zp-self-out source self destination out-zone
 service-policy type inspect ccp-permit-icmpreply
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
 service-policy type inspect sdm-permit-ip
zone-pair security ccp-zp-in-out source in-zone destination out-zone
 service-policy type inspect ccp-inspect
zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone
 service-policy type inspect sdm-pol-VPNOutsideToInside-1
zone-pair security ccp-zp-out-self source out-zone destination self
 service-policy type inspect ccp-permit
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key xxxxx address xxxxx
!
crypto isakmp client configuration group aecsoft
 key aecsoft123
 dns 192.168.1.13 192.168.1.14
 domain aecsoft.int
 pool SDM_POOL_1
 save-password
 netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
   match identity group aecsoft
   client authentication list ciscocp_vpn_xauth_ml_1
   isakmp authorization list ciscocp_vpn_group_ml_1
   client configuration address respond
   virtual-template 2
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
 set transform-set ESP-3DES-SHA
 set isakmp-profile ciscocp-ike-profile-1
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel toxxxxx
 set peer xxxxx
 set transform-set ESP-3DES-SHA1
 match address 101
!
!
!
!
!
interface Null0
 no ip unreachables
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description $ETH-WAN$
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 duplex auto
 speed auto
 pppoe-client dial-pool-number 1
!
interface Virtual-Template2 type tunnel
 ip unnumbered Dialer0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 zone-member security ezvpn-zone
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile CiscoCP_Profile1
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
 ip address 192.168.1.254 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly in
 zone-member security in-zone
 ip tcp adjust-mss 1412
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1452
 ip flow ingress
 ip nat outside
 ip virtual-reassembly in
 zone-member security out-zone
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname xxxxxx
 ppp chap password 7 xxxxxx
 ppp pap sent-username xxxxxxx password 7 xxxxxx
 no cdp enable
 crypto map SDM_CMAP_1
!
ip local pool SDM_POOL_1 192.168.50.1 192.168.50.254
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source static tcp 192.168.1.14 3389 interface Dialer0 3389
ip nat inside source static tcp 192.168.1.13 1723 interface Dialer0 1723
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0 2
!
ip access-list extended SDM_AH
 remark CCP_ACL Category=1
 permit ahp any any
ip access-list extended SDM_ESP
 remark CCP_ACL Category=1
 permit esp any any
ip access-list extended SDM_GRE
 remark CCP_ACL Category=1
 permit gre any any
ip access-list extended SDM_IP
 remark CCP_ACL Category=1
 permit ip any any
!
logging esm config
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 23 permit 192.168.1.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 remark CCP_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 102 remark CCP_ACL Category=2
access-list 102 remark IPSec Rule
access-list 102 deny   ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 103 remark CCP_ACL Category=128
access-list 103 permit ip host 255.255.255.255 any
access-list 103 permit ip 127.0.0.0 0.255.255.255 any
access-list 104 remark CCP_ACL Category=128
access-list 104 permit ip host 81.4.137.170 any
access-list 105 remark CCP_ACL Category=0
access-list 105 remark IPSec Rule
access-list 105 permit ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 106 remark CCP_ACL Category=0
access-list 106 permit ip any host 192.168.1.14
access-list 107 remark CCP_ACL Category=0
access-list 107 permit ip any host 192.168.1.13
dialer-list 1 protocol ip permit
no cdp run

!
!
!
!
route-map SDM_RMAP_1 permit 1
 match ip address 102
!
!
!
control-plane
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
 
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for  one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
 
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
 

!
line con 0
 no modem enable
 transport output telnet
line aux 0
 transport output telnet
line vty 0 4
 access-class 23 in
 transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
end

Sorry for wall of text

regards
thanasis
Join the community to see this answer!
Join our exclusive community to see this answer & millions of others.
Unlock 1 Answer and 5 Comments.
Join the Community
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 5 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros