Solved

Set up VPN on Cisco 871 Router?

Posted on 2010-11-11
22
1,754 Views
Last Modified: 2012-05-10
I have a Cisco 871 Router at my home, running C870-advipservicesk9 11.T2.
I have never set up a VPN on it.
I have a static WAN address from my ISP.

My goal (and I don't know if this is even possible using this router) is to be able to connect to this router (which sits at my house) from my laptop running Windows XP, when I'm at coffee shops, using a VPN connection, such that my internet traffic goes from my laptop at the coffee shop, to the router (via VPN), and from my router out to the internet... the idea being to establish a secure connection at the coffee shop end, so that my traffic can't be sniffed by others in the coffee shop.

That is, my router at home would be a "middleman" between myself at the coffee shop and the internet.

Ideally, I'd like to do this without adding any software on the XP machine, using XP's built in VPN capability, though I don't know if that's compatible with any of the VPN setups that the Cisco offers.  (It seems to have quite a few, and I'm not sure which if any of them are right for this scenario -- it seems to have things called "Site-to-Site VPN," "Easy VPN Remote," "Easy VPN Server," "Dynamic Multipoint VPN," "SSL VPN," etc.)

Can someone provide a step-by-step telling me how to set this up, both on the router and on the XP machine?
0
Comment
Question by:akahan
  • 11
  • 6
  • 2
  • +1
22 Comments
 
LVL 7

Expert Comment

by:lewisg
ID: 34118341
Good thing to do, VPN to a trusted point from insecure wireless networks. I do it all the time.

Unless the 871 offers a clientless VPN like SSL you will need some client software on your XP laptop,
0
 
LVL 7

Expert Comment

by:lewisg
ID: 34120428
You might want to look at this: http://www.shrew.net/software

Good docs in the support section.
0
 
LVL 26

Author Comment

by:akahan
ID: 34122042
I don't see anything about SSL in the Cisco... just IPSEC and IKE... so I guess I'd have to install a client on XP...not ideal, but if that's what I have to do, then that's what I have to do.

The Shrew docs describe how to set up the client, but say nothing about setting up the router.  What I need help with here is setting up the router, using Cisco Configuration Professional.
0
 
LVL 26

Author Comment

by:akahan
ID: 34122532
OH, wait, there is "SSL VPN," as mentioned earlier.
Still need step-by-step guidance to setting this up on the router.

Thanks!
0
 
LVL 5

Expert Comment

by:BooSTid
ID: 34124699
I'm going to assume you're using command line to set this up.

871's don't support SSL anyconnect vpn's; that begins on the ASA's.

871 can only terminate an IPSec connection, therefor a client will be used. I strongly recommend Cisco's client. This generally requires a Cisco support contract, but I'm confident you can find it on the internet.

The following is the configuration steps from the command line. Obviously my IP addressing will not be accurate since you didn't post yours, so you'll have to substitute as necessary.

Setup Local Authorization:
aaa authentication login default local
aaa authentication login remoteusers local
aaa authorization exec default local
aaa authorization network remotegroup local

Add Users/Usernames
username User1 privilege 15 secret blahblahblah

Define Phase1 (isakmp) Policy
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2

Create an isakmp peer that ignores source address. Use whatever key you want
crypto isakmp key super$secretk3y address 0.0.0.0 0.0.0.0

Create pool to be used for client connections. You can change the network used, but you have to obviously make the same changes to match further on in the config
ip local pool vpnpool 192.168.55.5 192.168.55.25
 
Specify the address pool to use for your VPN connections
crypto isakmp client configuration address-pool local vpnpool

Create a group for authentication. Set the key to whatever.
crypto isakmp client configuration group vpngroup
 key groupk3y
 pool vpnpool
 acl 100
 save-password
 include-local-lan
 max-users 5
 

Configure phase2 (ipsec) negotiation
crypto ipsec transform-set myset esp-3des esp-sha-hmac

Create the crypto map
crypto dynamic-map dynmap 10
 set transform-set myset
crypto map dynmap client authentication list remoteusers
crypto map dynmap isakmp authorization list remotegroup
crypto map dynmap client configuration address respond


Assign crypto map to interface (assuming outside is fa4)
int fa4
crypto map dynmap


Define interesting traffic. This is the traffic set to traverse the tunnel. Will contain your vpn network and your local inside network. Assuming a local network of 192.168.1.0
access-list 100 remark ***VPN Permits***
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.55.0 0.0.0.255

That should be about it. Not the easiest task on the planet. Troubleshooting usually consists of turning on term mon, and then watching debug crypto ipsec and debug crypto isakmp. That should give you all the info you need. You may need to alter your NAT overload statement, or possibly add some tweaks if you have static NATs that you want to be able to access via VPN. If you have any questions regarding this configuration, let us know.
0
 
LVL 26

Author Comment

by:akahan
ID: 34125113
Hi, thanks very much -

Please pardon my ignorance, but a few questions.... I'm reasonably smart, but TOTALLY unfamiliar with some of these commands...

Add Users/Usernames
username User1 privilege 15 secret blahblahblah



A login name for the VPN should be substituted for "User1", yes?
And would "blahblahblah" be a hash of the password that the User is going to use to access the VPN?  Or something else?

Create an isakmp peer that ignores source address. Use whatever key you want
crypto isakmp key super$secretk3y address 0.0.0.0 0.0.0.0


I assume "super$secretk3y" is a placeholder for the "key"?  What form does the key take?  How would I generate one, or get one?

Create a group for authentication. Set the key to whatever.
crypto isakmp client configuration group vpngroup
 key groupk3y
 pool vpnpool
 acl 100
 save-password
 include-local-lan
 max-users 5


Here, again, is "groupk3y" standing in for the key ?   What form would it take, and how would I generate one, or get one?

Thanks!

0
 
LVL 5

Expert Comment

by:BooSTid
ID: 34125376
Hi, thanks very much -

Please pardon my ignorance, but a few questions.... I'm reasonably smart, but TOTALLY unfamiliar with some of these commands...

Add Users/Usernames
username User1 privilege 15 secret blahblahblah

Yes, User1 is the username, and "blahlblahblah" is that users password. Both of these can be edited to whatever you wish.

Create an isakmp peer that ignores source address. Use whatever key you want
crypto isakmp key super$secretk3y address 0.0.0.0 0.0.0.0

I assume "super$secretk3y" is a placeholder for the "key"?  What form does the key take?  How would I generate one, or get one?

This setting actually isn't needed; I was blowing through this quickly and added it without thinking. If you're using group authentication, you don't need this statement.


Create a group for authentication. Set the key to whatever.
crypto isakmp client configuration group vpngroup
 key groupk3y
 pool vpnpool
 acl 100
 save-password
 include-local-lan
 max-users 5


Here, again, is "groupk3y" standing in for the key ?   What form would it take, and how would I generate one, or get one?

This is the key for the group authentication. When you're setting up a connection from the Cisco client; you specify Group (vpngroup in this example) and then you specify the key for that group, which is what you're setting with this. As with the other, you can use any string you like.

0
 
LVL 26

Author Comment

by:akahan
ID: 34125597
OK, am able to connect to the VPN, and am able to ping machines on the local network from the coffee shop...but, once connected, I can't surf the net.  Unable to ping IP addresses on the internet either by numeric IP address or canonical IP addresses.  Somehow, I'm confined to the LAN when connected from the outside world... what have I screwed up?

0
 
LVL 5

Expert Comment

by:BooSTid
ID: 34125614
On your Cisco client, go to the transport tab of your vpn connection properties make sure you check the box that says allow local LAN access, and make sure you have that included on your router as displayed here:

crypto isakmp client configuration group vpngroup
 key groupk3y
 pool vpnpool
 acl 100
 save-password
 include-local-lan
 max-users 5

0
 
LVL 26

Author Comment

by:akahan
ID: 34125634
Thanks... time to give up for the moment, but I'll be back to this tomorrow... will keep you posted!

0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 26

Author Comment

by:akahan
ID: 34128030
Well, I tried and tried with your proposal, but it didn't work... So then, I tried using Cisco Configuration Professional, in which you utilize a "wizard," which then modifies the running configuration for you to reflect the choices you've made in the wizard.  Using that, I feel I'm very very close: I can log in via the VPN, but still cannot surf to internet sites through the router.   I feel like I must be missing Just One Thing.  Here's a [redacted to remove private information] version of my config... can you tell what's missing or wrong?
-----

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname nohostbar

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200

logging console critical

enable secret 5 [redacted]

!

aaa new-model

!

!

aaa authentication login local_authen local

aaa authentication login ciscocp_vpn_xauth_ml_1 local

aaa authorization exec local_author local

aaa authorization network ciscocp_vpn_group_ml_1 local

!

!

aaa session-id common

clock timezone PST -8

clock summer-time PDT recurring

no ip source-route

no ip gratuitous-arps

ip cef

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.1.1 192.168.1.99

ip dhcp excluded-address 192.168.1.135 192.168.1.254

!

ip dhcp pool sdm-pool1

   import all

   network 192.168.1.0 255.255.255.0

   dns-server 68.87.76.182 68.87.78.134

   default-router 192.168.1.253

!

ip dhcp pool WINKY

   host 192.168.1.106 255.255.255.0

   client-identifier 0100.1903.0030.c4

!

ip dhcp pool ChairmanWIRED

   host 192.168.1.107 255.255.255.0

   client-identifier 0100.0f1f.1812.d2

!

ip dhcp pool SARA

   host 192.168.1.110 255.255.255.0

   client-identifier 0100.123f.aeed.3b

!

ip dhcp pool AVLP2

   host 192.168.1.111 255.255.255.0

   client-identifier 0100.a0b0.6556.90

!

ip dhcp pool MEDIABOY

   host 192.168.1.109 255.255.255.0

   client-identifier 0100.1320.48cd.9d

!

ip dhcp pool DLINKALI

   host 192.168.1.103 255.255.255.0

   client-identifier 0100.1195.b726.d2

!

ip dhcp pool DLINKMPT

   host 192.168.1.100 255.255.255.0

   client-identifier 0100.1195.ca38.e0

!

ip dhcp pool DLINKFR

   host 192.168.1.102 255.255.255.0

   client-identifier 0100.1195.eb66.15

!

ip dhcp pool ChairmanWIRELESS

   host 192.168.1.108 255.255.255.0

   client-identifier 0100.0b6b.358d.42

!

ip dhcp pool ALFA

   host 192.168.1.114 255.255.255.0

   client-identifier 0100.c0ca.26c7.55

!

ip dhcp pool SARALAPWL

   host 192.168.1.116 255.255.255.0

   client-identifier 0100.166f.be13.8e

!

ip dhcp pool SARALAP

   host 192.168.1.117 255.255.255.0

   client-identifier 0100.16d3.2f61.49

!

ip dhcp pool PHILBIN

   host 192.168.1.104 255.255.255.0

   client-identifier 0100.1c23.1f08.61

!

ip dhcp pool PHILBINWL

   host 192.168.1.105 255.255.255.0

   client-identifier 0100.1644.bc35.47

!

ip dhcp pool IPHONE3G

   host 192.168.1.119 255.255.255.0

   client-identifier 0100.21e9.4ff0.8b

!

ip dhcp pool SARAMACETH

   host 192.168.1.120 255.255.255.0

   client-identifier 0158.b035.f73a.6f

!

ip dhcp pool SARAMACWLESS

   host 192.168.1.121 255.255.255.0

   client-identifier 0158.b035.7d8b.1e

!

ip dhcp pool LauraTouch

   host 192.168.1.122 255.255.255.0

   client-identifier 0100.1ec2.532e.9d

!

ip dhcp pool APPLETV

   host 192.168.1.123 255.255.255.0

   client-identifier 0100.1f5b.a96f.ee

!

ip dhcp pool VLPPHONE

   host 192.168.1.124 255.255.255.0

   hardware-address 0004.f2a5.8985

!

ip dhcp pool DISHTVFR

   host 192.168.1.112 255.255.255.0

   client-identifier 0100.0889.8e20.ed

!

ip dhcp pool DISHTVBR

   host 192.168.1.113 255.255.255.0

   client-identifier 0100.0889.502d.af

!

ip dhcp pool IPHONE3GS

   host 192.168.1.115 255.255.255.0

   client-identifier 01c4.2c03.67a7.37

!

ip dhcp pool SaraIphone

   host 192.168.1.101 255.255.255.0

   client-identifier 01f8.1edf.4e85.db

!

ip dhcp pool PORTAROUTER

   host 192.168.1.125 255.255.255.0

   client-identifier 0100.2401.3d11.e4

!

ip dhcp pool NIKKI

   host 192.168.1.126 255.255.255.0

   client-identifier 0100.1b63.c0be.36

!

ip dhcp pool BLURAY

   host 192.168.1.118 255.255.255.0

   client-identifier 0100.16fb.0099.03

!

ip dhcp pool SamDS

   host 192.168.1.127 255.255.255.0

   client-identifier 0100.25a0.f1ac.7a

!

ip dhcp pool SaraTouch

   host 192.168.1.128 255.255.255.0

   client-identifier 0100.2332.5891.f2

!

ip dhcp pool AriIphone4

   host 192.168.1.129 255.255.255.0

   client-identifier 017c.c537.3bd2.f5

!

ip dhcp pool GRACIELLA

   host 192.168.1.130 255.255.255.0

   client-identifier 01e0.cb4e.b124.b8

!

ip dhcp pool CELTOWER

   host 192.168.1.131 255.255.255.0

   client-identifier 0144.5829.3ef3.ba

!

ip dhcp pool blackwii

   host 192.168.1.132 255.255.255.0

   client-identifier 018c.56c5.38c9.f3

!

ip dhcp pool LAURALAPWL

   host 192.168.1.133 255.255.255.0

   client-identifier 0100.24d7.5644.28

!

ip dhcp pool LAURALAPWIRED

   host 192.168.1.134 255.255.255.0

   client-identifier 015c.260a.151b.93

!

!

ip tcp synwait-time 10

no ip bootp server

ip name-server 208.67.220.220

ip name-server 208.67.222.222

ip ssh time-out 60

ip ssh authentication-retries 2

ip inspect max-incomplete high 20000000

ip inspect max-incomplete low 20000000

ip inspect one-minute high 100000000

ip inspect one-minute low 100000000

ip inspect tcp max-incomplete host 100000 block-time 0

ip inspect name SDM_LOW cuseeme

ip inspect name SDM_LOW dns

ip inspect name SDM_LOW ftp

ip inspect name SDM_LOW h323

ip inspect name SDM_LOW https

ip inspect name SDM_LOW icmp

ip inspect name SDM_LOW netshow

ip inspect name SDM_LOW rcmd

ip inspect name SDM_LOW realaudio

ip inspect name SDM_LOW rtsp

ip inspect name SDM_LOW sqlnet

ip inspect name SDM_LOW streamworks

ip inspect name SDM_LOW tftp

ip inspect name SDM_LOW tcp

ip inspect name SDM_LOW udp

ip inspect name SDM_LOW vdolive

!

multilink bundle-name authenticated

!

crypto pki trustpoint TP-self-signed-404758651

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-404758651

 revocation-check none

 rsakeypair TP-self-signed-404758651

!

!

crypto pki certificate chain TP-self-signed-404758651

 certificate self-signed 01

  3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 34303437 35383635 31301E17 0D313030 36313631 33313332

  305A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F

  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3430 34373538

  36353130 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100

  CA33ACAA A539309F 93478CB8 6710746D C0137632 AE9BC625 12A4E324 CEAC8FC1

  B22A96B9 AA6B32CB 5A486AEC BE2BB54E 02A03228 83365EE9 72BEE864 A0739C5B

  49C839FB 271F0B05 BD3A4DE0 B382B646 18CB5781 839337D2 42B3B024 FBD575D1

  FDF7AD72 10429EDF 5974761A 836BE80B C12840EE D7B96156 61382343 AB066991

  02030100 01A36930 67300F06 03551D13 0101FF04 05300301 01FF3014 0603551D

  11040D30 0B82096E 6F686F73 74626172 301F0603 551D2304 18301680 147C1814

  601ABAAD 1933D0ED CBE030DD 3D4F2B36 BD301D06 03551D0E 04160414 7C181460

  1ABAAD19 33D0EDCB E030DD3D 4F2B36BD 300D0609 2A864886 F70D0101 04050003

  8181006C D6D7527A 82EBE362 452EE6EC 594BA7D8 CFD0E0FD 22058F21 47AA7437

  C181D428 938E008F 3E2CDA95 FDD284AE F80E6DB4 35082372 F97A84ED 5358883B

  BD07DE1B A35EDCEB C466E19B E4396107 AC6A52A2 717704A9 8A14B3BF 012C5BD7

  4F840B2B ECEA9F35 42B1A37F 7FC87538 B7011EE4 66B8D679 E17D3134 7D0DFC0A B7C36A

  quit

crypto ctcp port 10000

!

!

username admin privilege 15 secret 5 [redacted]

username akahan privilege 15 secret 5 [redacted]

!

!

!

crypto isakmp policy 1

 encr 3des

 authentication pre-share

 group 2

!

crypto isakmp client configuration group vpnusers

 key [redacted]

 pool SDM_POOL_1

 include-local-lan

 max-users 10

 netmask 255.255.255.0

crypto isakmp profile ciscocp-ike-profile-1

   match identity group vpnusers

   client authentication list ciscocp_vpn_xauth_ml_1

   isakmp authorization list ciscocp_vpn_group_ml_1

   client configuration address respond

   virtual-template 1

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto ipsec profile CiscoCP_Profile1

 set transform-set ESP-3DES-SHA

 set isakmp-profile ciscocp-ike-profile-1

!

!

!

!

!

interface Null0

 no ip unreachables

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

 description $ES_WAN$$ETH-WAN$$FW_OUTSIDE$

 ip address 208.74.[redacted] 255.255.255.224

 ip access-group 101 in

 ip verify unicast reverse-path

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip nat outside

 ip inspect SDM_LOW out

 ip virtual-reassembly

 ip route-cache flow

 duplex auto

 speed auto

!

interface Virtual-Template1 type tunnel

 ip unnumbered FastEthernet4

 tunnel mode ipsec ipv4

 tunnel protection ipsec profile CiscoCP_Profile1

!

interface Vlan1

 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$

 ip address 192.168.1.1 255.255.255.0

 ip access-group 2051 in

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip nat inside

 ip virtual-reassembly

 ip route-cache flow

 ip tcp adjust-mss 1452

!

ip local pool SDM_POOL_1 192.168.55.1 192.168.55.20

ip route 0.0.0.0 0.0.0.0 208.74.177.97 10

ip route 0.0.0.0 0.0.0.0 192.168.1.253 20

!

!

ip http server

ip http access-class 1

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source list 1 interface FastEthernet4 overload

ip nat inside source static udp 192.168.1.124 5060 interface FastEthernet4 5060

ip nat inside source static udp 192.168.1.124 5199 interface FastEthernet4 5199

ip nat inside source static udp 192.168.1.124 3479 interface FastEthernet4 3479

ip nat inside source static udp 192.168.1.124 15044 interface FastEthernet4 15044

ip nat inside source static tcp 192.168.1.199 6999 interface FastEthernet4 6999

ip nat inside source static tcp 192.168.1.199 6998 interface FastEthernet4 6998

ip nat inside source static tcp 192.168.1.199 6997 interface FastEthernet4 6997

ip nat inside source static tcp 192.168.1.199 6996 interface FastEthernet4 6996

ip nat inside source static tcp 192.168.1.199 6995 interface FastEthernet4 6995

ip nat inside source static tcp 192.168.1.199 6994 interface FastEthernet4 6994

ip nat inside source static tcp 192.168.1.199 6993 interface FastEthernet4 6993

ip nat inside source static tcp 192.168.1.199 6992 interface FastEthernet4 6992

ip nat inside source static tcp 192.168.1.199 6991 interface FastEthernet4 6991

ip nat inside source static tcp 192.168.1.199 6990 interface FastEthernet4 6990

ip nat inside source static tcp 192.168.1.199 6989 interface FastEthernet4 6989

ip nat inside source static tcp 192.168.1.199 6988 interface FastEthernet4 6988

ip nat inside source static tcp 192.168.1.199 6987 interface FastEthernet4 6987

ip nat inside source static tcp 192.168.1.199 6986 interface FastEthernet4 6986

ip nat inside source static tcp 192.168.1.199 6985 interface FastEthernet4 6985

ip nat inside source static tcp 192.168.1.199 6984 interface FastEthernet4 6984

ip nat inside source static tcp 192.168.1.199 6983 interface FastEthernet4 6983

ip nat inside source static tcp 192.168.1.199 6982 interface FastEthernet4 6982

ip nat inside source static tcp 192.168.1.199 6981 interface FastEthernet4 6981

ip nat inside source static tcp 192.168.1.199 6980 interface FastEthernet4 6980

ip nat inside source static tcp 192.168.1.199 6979 interface FastEthernet4 6979

ip nat inside source static tcp 192.168.1.199 6978 interface FastEthernet4 6978

ip nat inside source static tcp 192.168.1.199 6977 interface FastEthernet4 6977

ip nat inside source static tcp 192.168.1.199 6976 interface FastEthernet4 6976

ip nat inside source static tcp 192.168.1.199 6975 interface FastEthernet4 6975

ip nat inside source static tcp 192.168.1.199 6974 interface FastEthernet4 6974

ip nat inside source static tcp 192.168.1.199 6973 interface FastEthernet4 6973

ip nat inside source static tcp 192.168.1.199 6972 interface FastEthernet4 6972

ip nat inside source static tcp 192.168.1.199 6971 interface FastEthernet4 6971

ip nat inside source static tcp 192.168.1.199 6970 interface FastEthernet4 6970

ip nat inside source static tcp 192.168.1.199 6969 interface FastEthernet4 6969

ip nat inside source static tcp 192.168.1.199 6968 interface FastEthernet4 6968

ip nat inside source static tcp 192.168.1.199 6967 interface FastEthernet4 6967

ip nat inside source static tcp 192.168.1.199 6966 interface FastEthernet4 6966

ip nat inside source static tcp 192.168.1.199 6965 interface FastEthernet4 6965

ip nat inside source static tcp 192.168.1.199 6964 interface FastEthernet4 6964

ip nat inside source static tcp 192.168.1.199 6963 interface FastEthernet4 6963

ip nat inside source static tcp 192.168.1.199 6962 interface FastEthernet4 6962

ip nat inside source static tcp 192.168.1.199 6961 interface FastEthernet4 6961

ip nat inside source static tcp 192.168.1.199 6960 interface FastEthernet4 6960

ip nat inside source static tcp 192.168.1.199 6959 interface FastEthernet4 6959

ip nat inside source static tcp 192.168.1.199 6958 interface FastEthernet4 6958

ip nat inside source static tcp 192.168.1.199 6957 interface FastEthernet4 6957

ip nat inside source static tcp 192.168.1.199 6956 interface FastEthernet4 6956

ip nat inside source static tcp 192.168.1.199 6955 interface FastEthernet4 6955

ip nat inside source static tcp 192.168.1.199 6954 interface FastEthernet4 6954

ip nat inside source static tcp 192.168.1.199 6953 interface FastEthernet4 6953

ip nat inside source static tcp 192.168.1.199 6952 interface FastEthernet4 6952

ip nat inside source static tcp 192.168.1.199 6951 interface FastEthernet4 6951

ip nat inside source static tcp 192.168.1.199 6950 interface FastEthernet4 6950

ip nat inside source static tcp 192.168.1.199 6949 interface FastEthernet4 6949

ip nat inside source static tcp 192.168.1.199 6948 interface FastEthernet4 6948

ip nat inside source static tcp 192.168.1.199 6947 interface FastEthernet4 6947

ip nat inside source static tcp 192.168.1.199 6946 interface FastEthernet4 6946

ip nat inside source static tcp 192.168.1.199 6945 interface FastEthernet4 6945

ip nat inside source static tcp 192.168.1.199 6944 interface FastEthernet4 6944

ip nat inside source static tcp 192.168.1.199 6943 interface FastEthernet4 6943

ip nat inside source static tcp 192.168.1.199 6942 interface FastEthernet4 6942

ip nat inside source static tcp 192.168.1.199 6941 interface FastEthernet4 6941

ip nat inside source static tcp 192.168.1.199 6940 interface FastEthernet4 6940

ip nat inside source static tcp 192.168.1.199 6939 interface FastEthernet4 6939

ip nat inside source static tcp 192.168.1.199 6938 interface FastEthernet4 6938

ip nat inside source static tcp 192.168.1.199 6937 interface FastEthernet4 6937

ip nat inside source static tcp 192.168.1.199 6936 interface FastEthernet4 6936

ip nat inside source static tcp 192.168.1.199 6935 interface FastEthernet4 6935

ip nat inside source static tcp 192.168.1.199 6934 interface FastEthernet4 6934

ip nat inside source static tcp 192.168.1.199 6933 interface FastEthernet4 6933

ip nat inside source static tcp 192.168.1.199 6932 interface FastEthernet4 6932

ip nat inside source static tcp 192.168.1.199 6931 interface FastEthernet4 6931

ip nat inside source static tcp 192.168.1.199 6930 interface FastEthernet4 6930

ip nat inside source static tcp 192.168.1.199 6929 interface FastEthernet4 6929

ip nat inside source static tcp 192.168.1.199 6928 interface FastEthernet4 6928

ip nat inside source static tcp 192.168.1.199 6927 interface FastEthernet4 6927

ip nat inside source static tcp 192.168.1.199 6926 interface FastEthernet4 6926

ip nat inside source static tcp 192.168.1.199 6925 interface FastEthernet4 6925

ip nat inside source static tcp 192.168.1.199 6924 interface FastEthernet4 6924

ip nat inside source static tcp 192.168.1.199 6923 interface FastEthernet4 6923

ip nat inside source static tcp 192.168.1.199 6922 interface FastEthernet4 6922

ip nat inside source static tcp 192.168.1.199 6921 interface FastEthernet4 6921

ip nat inside source static tcp 192.168.1.199 6920 interface FastEthernet4 6920

ip nat inside source static tcp 192.168.1.199 6919 interface FastEthernet4 6919

ip nat inside source static tcp 192.168.1.199 6918 interface FastEthernet4 6918

ip nat inside source static tcp 192.168.1.199 6917 interface FastEthernet4 6917

ip nat inside source static tcp 192.168.1.199 6916 interface FastEthernet4 6916

ip nat inside source static tcp 192.168.1.199 6915 interface FastEthernet4 6915

ip nat inside source static tcp 192.168.1.199 6914 interface FastEthernet4 6914

ip nat inside source static tcp 192.168.1.199 6913 interface FastEthernet4 6913

ip nat inside source static tcp 192.168.1.199 6912 interface FastEthernet4 6912

ip nat inside source static tcp 192.168.1.199 6911 interface FastEthernet4 6911

ip nat inside source static tcp 192.168.1.199 6910 interface FastEthernet4 6910

ip nat inside source static tcp 192.168.1.199 6909 interface FastEthernet4 6909

ip nat inside source static tcp 192.168.1.199 6908 interface FastEthernet4 6908

ip nat inside source static tcp 192.168.1.199 6907 interface FastEthernet4 6907

ip nat inside source static tcp 192.168.1.199 6906 interface FastEthernet4 6906

ip nat inside source static tcp 192.168.1.199 6905 interface FastEthernet4 6905

ip nat inside source static tcp 192.168.1.199 6904 interface FastEthernet4 6904

ip nat inside source static tcp 192.168.1.199 6903 interface FastEthernet4 6903

ip nat inside source static tcp 192.168.1.199 6902 interface FastEthernet4 6902

ip nat inside source static tcp 192.168.1.199 6901 interface FastEthernet4 6901

ip nat inside source static tcp 192.168.1.199 6900 interface FastEthernet4 6900

ip nat inside source static tcp 192.168.1.199 6899 interface FastEthernet4 6899

ip nat inside source static tcp 192.168.1.199 6898 interface FastEthernet4 6898

ip nat inside source static tcp 192.168.1.199 6897 interface FastEthernet4 6897

ip nat inside source static tcp 192.168.1.199 6896 interface FastEthernet4 6896

ip nat inside source static tcp 192.168.1.199 6895 interface FastEthernet4 6895

ip nat inside source static tcp 192.168.1.199 6894 interface FastEthernet4 6894

ip nat inside source static tcp 192.168.1.199 6893 interface FastEthernet4 6893

ip nat inside source static tcp 192.168.1.199 6892 interface FastEthernet4 6892

ip nat inside source static tcp 192.168.1.199 6891 interface FastEthernet4 6891

ip nat inside source static tcp 192.168.1.199 6890 interface FastEthernet4 6890

ip nat inside source static tcp 192.168.1.199 6889 interface FastEthernet4 6889

ip nat inside source static tcp 192.168.1.199 6888 interface FastEthernet4 6888

ip nat inside source static tcp 192.168.1.199 6887 interface FastEthernet4 6887

ip nat inside source static tcp 192.168.1.199 6886 interface FastEthernet4 6886

ip nat inside source static tcp 192.168.1.199 6885 interface FastEthernet4 6885

ip nat inside source static tcp 192.168.1.199 6884 interface FastEthernet4 6884

ip nat inside source static tcp 192.168.1.199 6883 interface FastEthernet4 6883

ip nat inside source static tcp 192.168.1.199 6882 interface FastEthernet4 6882

ip nat inside source static tcp 192.168.1.199 6881 interface FastEthernet4 6881

ip nat inside source static tcp 192.168.1.199 6112 interface FastEthernet4 6112

ip nat inside source static tcp 192.168.1.199 3724 interface FastEthernet4 3724

ip nat inside source static udp 192.168.1.104 12344 interface FastEthernet4 12344

ip nat inside source static tcp 192.168.1.104 12344 interface FastEthernet4 12344

ip nat inside source static tcp 192.168.1.110 13853 interface FastEthernet4 13853

ip nat inside source static tcp 192.168.1.104 13852 interface FastEthernet4 13852

ip nat inside source static tcp 192.168.1.51 631 interface FastEthernet4 10000

ip nat inside source static tcp 192.168.1.109 4711 interface FastEthernet4 4711

ip nat inside source static tcp 192.168.1.109 4662 interface FastEthernet4 4662

ip nat inside source static udp 192.168.1.109 4672 interface FastEthernet4 4672

ip nat inside source static tcp 192.168.1.109 11888 interface FastEthernet4 11888

ip nat inside source static tcp 192.168.1.109 6710 interface FastEthernet4 6710

ip nat inside source static tcp 192.168.1.51 9100 interface FastEthernet4 10001

ip nat inside source static tcp 192.168.1.52 9100 interface FastEthernet4 10002

ip nat inside source static tcp 192.168.1.106 13854 interface FastEthernet4 13854

ip nat inside source static tcp 192.168.1.115 38341 interface FastEthernet4 38341

ip nat inside source static udp 192.168.1.115 38341 interface FastEthernet4 38341

ip nat inside source static udp 192.168.1.106 13854 interface FastEthernet4 13854

ip nat inside source static udp 192.168.1.104 13852 interface FastEthernet4 13852

ip nat inside source static udp 192.168.1.110 13853 interface FastEthernet4 13853

ip nat inside source static udp 192.168.1.110 12345 interface FastEthernet4 12345

ip nat inside source static tcp 192.168.1.110 12345 interface FastEthernet4 12345

ip nat inside source static tcp 192.168.1.109 12346 interface FastEthernet4 12346

ip nat inside source static udp 192.168.1.109 12346 interface FastEthernet4 12346

ip nat inside source static udp 192.168.1.104 6346 interface FastEthernet4 6346

ip nat inside source static tcp 192.168.1.104 6346 interface FastEthernet4 6346

ip nat inside source static tcp 192.168.1.104 5910 interface FastEthernet4 5910

ip nat inside source static tcp 192.168.1.109 9988 interface FastEthernet4 9988

ip nat inside source static tcp 192.168.1.109 10081 interface FastEthernet4 10081

ip nat inside source static udp 192.168.1.109 10081 interface FastEthernet4 10081

ip nat inside source static tcp 192.168.1.109 65500 interface FastEthernet4 65500

ip nat inside source static udp 192.168.1.109 444 interface FastEthernet4 444

ip nat inside source static tcp 192.168.1.109 444 interface FastEthernet4 444

ip nat inside source static udp 192.168.1.104 5500 interface FastEthernet4 5500

ip nat inside source static tcp 192.168.1.104 5500 interface FastEthernet4 5500

ip nat inside source static tcp 192.168.1.109 5905 interface FastEthernet4 5905

!

logging trap debugging

access-list 1 permit 67.170.236.160

access-list 1 remark Auto generated by SDM Management Access feature

access-list 1 remark SDM_ACL Category=1

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 100 remark auto generated by SDM firewall configuration

access-list 100 remark SDM_ACL Category=0

access-list 100 deny   ip 208.74.177.96 0.0.0.31 any

access-list 100 deny   ip host 255.255.255.255 any

access-list 100 deny   ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip any any

access-list 101 remark CCP_ACL Category=1

access-list 101 permit udp any host 208.74.[redacted] eq 5060

access-list 101 permit udp any host 208.74.[redacted] eq non500-isakmp

access-list 101 permit udp any host 208.74.[redacted] eq isakmp

access-list 101 permit esp any host 208.74.[redacted]

access-list 101 permit ahp any host 208.74.[redacted]

access-list 101 permit udp any host 208.74.[redacted] eq 5199

access-list 101 permit udp any host 208.74.[redacted] eq 3479

access-list 101 permit udp any host 208.74.[redacted] eq 15044

access-list 101 remark auto generated by SDM firewall configuration

access-list 101 permit tcp any host 208.74.[redacted] eq 444

access-list 101 permit udp any host 208.74.[redacted] eq 444

access-list 101 permit tcp host 24.7.127.6 host 208.74.[redacted] eq telnet

access-list 101 permit tcp host 24.7.127.6 host 208.74.[redacted] eq 22

access-list 101 permit tcp host 24.7.127.6 host 208.74.[redacted] eq www

access-list 101 permit tcp host 24.7.127.6 host 208.74.[redacted] eq 443

access-list 101 permit tcp host 24.7.127.6 host 208.74.[redacted] eq cmd

access-list 101 deny   udp any host 208.74.[redacted] eq snmp

access-list 101 permit udp host 208.67.222.222 eq domain any

access-list 101 permit udp host 204.11.224.14 eq domain any

access-list 101 permit udp host 204.11.231.14 eq domain any

access-list 101 permit udp host 208.67.220.220 eq domain any

access-list 101 permit udp any host 208.74.[redacted] eq 10081

access-list 101 permit tcp any host 208.74.[redacted] eq 10081

access-list 101 permit tcp any host 208.74.[redacted] eq 9988

access-list 101 permit tcp any host 208.74.[redacted] eq 5500

access-list 101 permit tcp any host 208.74.[redacted] eq 5910

access-list 101 permit tcp any host 208.74.[redacted] eq 6346

access-list 101 permit udp any host 208.74.[redacted] eq 6346

access-list 101 permit udp any host 208.74.[redacted] eq 12346

access-list 101 permit tcp any host 208.74.[redacted] eq 12346

access-list 101 permit tcp any host 208.74.[redacted] eq 12345

access-list 101 permit udp any host 208.74.[redacted] eq 12345

access-list 101 permit udp any host 208.74.[redacted] eq 13853

access-list 101 permit udp any host 208.74.[redacted] eq 13852

access-list 101 permit udp any host 208.74.[redacted] eq 13854

access-list 101 permit udp any host 208.74.[redacted] eq 38341

access-list 101 permit tcp any host 208.74.[redacted] eq 38341

access-list 101 permit tcp any host 208.74.[redacted] eq 13854

access-list 101 permit tcp any host 208.74.[redacted] eq 10001

access-list 101 permit tcp any host 208.74.[redacted] eq 10002

access-list 101 permit tcp any host 208.74.[redacted] eq 6710

access-list 101 permit tcp any host 208.74.[redacted] eq 65500

access-list 101 permit tcp any host 208.74.[redacted] eq 11888

access-list 101 permit udp any host 208.74.[redacted] eq 4672

access-list 101 permit tcp any host 208.74.[redacted] eq 4662

access-list 101 permit tcp any host 208.74.[redacted] eq 4711

access-list 101 permit tcp any host 208.74.[redacted] eq 10000

access-list 101 permit tcp any host 208.74.[redacted] eq 13852

access-list 101 permit tcp any host 208.74.[redacted] eq 5905

access-list 101 permit tcp any host 208.74.[redacted] eq 13853

access-list 101 permit tcp any host 208.74.[redacted] eq 12344

access-list 101 permit udp any host 208.74.[redacted] eq 12344

access-list 101 permit tcp any host 208.74.[redacted] eq 3724

access-list 101 permit tcp any host 208.74.[redacted] eq 6112

access-list 101 permit tcp any host 208.74.[redacted] eq 6881

access-list 101 permit tcp any host 208.74.[redacted] eq 6882

access-list 101 permit tcp any host 208.74.[redacted] eq 6883

access-list 101 permit tcp any host 208.74.[redacted] eq 6884

access-list 101 permit tcp any host 208.74.[redacted] eq 6885

access-list 101 permit tcp any host 208.74.[redacted] eq 6886

access-list 101 permit tcp any host 208.74.[redacted] eq 6887

access-list 101 permit tcp any host 208.74.[redacted] eq 6888

access-list 101 permit tcp any host 208.74.[redacted] eq 6889

access-list 101 permit tcp any host 208.74.[redacted] eq 6890

access-list 101 permit tcp any host 208.74.[redacted] eq 6891

access-list 101 permit tcp any host 208.74.[redacted] eq 6892

access-list 101 permit tcp any host 208.74.[redacted] eq 6893

access-list 101 permit tcp any host 208.74.[redacted] eq 6894

access-list 101 permit tcp any host 208.74.[redacted] eq 6895

access-list 101 permit tcp any host 208.74.[redacted] eq 6896

access-list 101 permit tcp any host 208.74.[redacted] eq 6897

access-list 101 permit tcp any host 208.74.[redacted] eq 6898

access-list 101 permit tcp any host 208.74.[redacted] eq 6899

access-list 101 permit tcp any host 208.74.[redacted] eq 6900

access-list 101 permit tcp any host 208.74.[redacted] eq 6901

access-list 101 permit tcp any host 208.74.[redacted] eq 6902

access-list 101 permit tcp any host 208.74.[redacted] eq 6903

access-list 101 permit tcp any host 208.74.[redacted] eq 6904

access-list 101 permit tcp any host 208.74.[redacted] eq 6905

access-list 101 permit tcp any host 208.74.[redacted] eq 6906

access-list 101 permit tcp any host 208.74.[redacted] eq 6907

access-list 101 permit tcp any host 208.74.[redacted] eq 6908

access-list 101 permit tcp any host 208.74.[redacted] eq 6909

access-list 101 permit tcp any host 208.74.[redacted] eq 6910

access-list 101 permit tcp any host 208.74.[redacted] eq 6911

access-list 101 permit tcp any host 208.74.[redacted] eq 6912

access-list 101 permit tcp any host 208.74.[redacted] eq 6913

access-list 101 permit tcp any host 208.74.[redacted] eq 6914

access-list 101 permit tcp any host 208.74.[redacted] eq 6915

access-list 101 permit tcp any host 208.74.[redacted] eq 6916

access-list 101 permit tcp any host 208.74.[redacted] eq 6917

access-list 101 permit tcp any host 208.74.[redacted] eq 6918

access-list 101 permit tcp any host 208.74.[redacted] eq 6919

access-list 101 permit tcp any host 208.74.[redacted] eq 6920

access-list 101 permit tcp any host 208.74.[redacted] eq 6921

access-list 101 permit tcp any host 208.74.[redacted] eq 6922

access-list 101 permit tcp any host 208.74.[redacted] eq 6923

access-list 101 permit tcp any host 208.74.[redacted] eq 6924

access-list 101 permit tcp any host 208.74.[redacted] eq 6925

access-list 101 permit tcp any host 208.74.[redacted] eq 6926

access-list 101 permit tcp any host 208.74.[redacted] eq 6927

access-list 101 permit tcp any host 208.74.[redacted] eq 6928

access-list 101 permit tcp any host 208.74.[redacted] eq 6929

access-list 101 permit tcp any host 208.74.[redacted] eq 6930

access-list 101 permit tcp any host 208.74.[redacted] eq 6931

access-list 101 permit tcp any host 208.74.[redacted] eq 6932

access-list 101 permit tcp any host 208.74.[redacted] eq 6933

access-list 101 permit tcp any host 208.74.[redacted] eq 6934

access-list 101 permit tcp any host 208.74.[redacted] eq 6935

access-list 101 permit tcp any host 208.74.[redacted] eq 6936

access-list 101 permit tcp any host 208.74.[redacted] eq 6937

access-list 101 permit tcp any host 208.74.[redacted] eq 6938

access-list 101 permit tcp any host 208.74.[redacted] eq 6939

access-list 101 permit tcp any host 208.74.[redacted] eq 6940

access-list 101 permit tcp any host 208.74.[redacted] eq 6941

access-list 101 permit tcp any host 208.74.[redacted] eq 6942

access-list 101 permit tcp any host 208.74.[redacted] eq 6943

access-list 101 permit tcp any host 208.74.[redacted] eq 6944

access-list 101 permit tcp any host 208.74.[redacted] eq 6945

access-list 101 permit tcp any host 208.74.[redacted] eq 6946

access-list 101 permit tcp any host 208.74.[redacted] eq 6947

access-list 101 permit tcp any host 208.74.[redacted] eq 6948

access-list 101 permit tcp any host 208.74.[redacted] eq 6949

access-list 101 permit tcp any host 208.74.[redacted] eq 6950

access-list 101 permit tcp any host 208.74.[redacted] eq 6951

access-list 101 permit tcp any host 208.74.[redacted] eq 6952

access-list 101 permit tcp any host 208.74.[redacted] eq 6953

access-list 101 permit tcp any host 208.74.[redacted] eq 6954

access-list 101 permit tcp any host 208.74.[redacted] eq 6955

access-list 101 permit tcp any host 208.74.[redacted] eq 6956

access-list 101 permit tcp any host 208.74.[redacted] eq 6957

access-list 101 permit tcp any host 208.74.[redacted] eq 6958

access-list 101 permit tcp any host 208.74.[redacted] eq 6959

access-list 101 permit tcp any host 208.74.[redacted] eq 6960

access-list 101 permit tcp any host 208.74.[redacted] eq 6961

access-list 101 permit tcp any host 208.74.[redacted] eq 6962

access-list 101 permit tcp any host 208.74.[redacted] eq 6963

access-list 101 permit tcp any host 208.74.[redacted] eq 6964

access-list 101 permit tcp any host 208.74.[redacted] eq 6965

access-list 101 permit tcp any host 208.74.[redacted] eq 6966

access-list 101 permit tcp any host 208.74.[redacted] eq 6967

access-list 101 permit tcp any host 208.74.[redacted] eq 6968

access-list 101 permit tcp any host 208.74.[redacted] eq 6969

access-list 101 permit tcp any host 208.74.[redacted] eq 6970

access-list 101 permit tcp any host 208.74.[redacted] eq 6971

access-list 101 permit tcp any host 208.74.[redacted] eq 6972

access-list 101 permit tcp any host 208.74.[redacted] eq 6973

access-list 101 permit tcp any host 208.74.[redacted] eq 6974

access-list 101 permit tcp any host 208.74.[redacted] eq 6975

access-list 101 permit tcp any host 208.74.[redacted] eq 6976

access-list 101 permit tcp any host 208.74.[redacted] eq 6977

access-list 101 permit tcp any host 208.74.[redacted] eq 6978

access-list 101 permit tcp any host 208.74.[redacted] eq 6979

access-list 101 permit tcp any host 208.74.[redacted] eq 6980

access-list 101 permit tcp any host 208.74.[redacted] eq 6981

access-list 101 permit tcp any host 208.74.[redacted] eq 6982

access-list 101 permit tcp any host 208.74.[redacted] eq 6983

access-list 101 permit tcp any host 208.74.[redacted] eq 6984

access-list 101 permit tcp any host 208.74.[redacted] eq 6985

access-list 101 permit tcp any host 208.74.[redacted] eq 6986

access-list 101 permit tcp any host 208.74.[redacted] eq 6987

access-list 101 permit tcp any host 208.74.[redacted] eq 6988

access-list 101 permit tcp any host 208.74.[redacted] eq 6989

access-list 101 permit tcp any host 208.74.[redacted] eq 6990

access-list 101 permit tcp any host 208.74.[redacted] eq 6991

access-list 101 permit tcp any host 208.74.[redacted] eq 6992

access-list 101 permit tcp any host 208.74.[redacted] eq 6993

access-list 101 permit tcp any host 208.74.[redacted] eq 6994

access-list 101 permit tcp any host 208.74.[redacted] eq 6995

access-list 101 permit tcp any host 208.74.[redacted] eq 6996

access-list 101 permit tcp any host 208.74.[redacted] eq 6997

access-list 101 permit tcp any host 208.74.[redacted] eq 6998

access-list 101 permit tcp any host 208.74.[redacted] eq 6999

access-list 101 permit gre any host 208.74.[redacted]

access-list 101 remark Auto generated by SDM for NTP (123) 216.39.144.207

access-list 101 permit udp host 216.39.144.207 eq ntp host 208.74.[redacted] eq ntp

access-list 101 deny   ip 192.168.1.0 0.0.0.255 any

access-list 101 permit icmp any host 208.74.[redacted] echo-reply

access-list 101 permit icmp any host 208.74.[redacted] time-exceeded

access-list 101 permit icmp any host 208.74.[redacted] unreachable

access-list 101 deny   ip 10.0.0.0 0.255.255.255 any

access-list 101 deny   ip 172.16.0.0 0.15.255.255 any

access-list 101 deny   ip 192.168.0.0 0.0.255.255 any

access-list 101 deny   ip 127.0.0.0 0.255.255.255 any

access-list 101 deny   ip host 255.255.255.255 any

access-list 101 deny   ip host 0.0.0.0 any

access-list 101 deny   ip any any log

access-list 102 remark SDM_ACL Category=129

access-list 102 permit ip 192.168.1.0 0.0.0.255 any

access-list 102 permit ip host 67.170.236.160 any

access-list 102 permit udp any host 208.74.[redacted] eq 10081

access-list 102 permit tcp any host 208.74.[redacted] eq 10081

access-list 102 permit tcp any host 208.74.[redacted] eq 9988

access-list 102 permit tcp any host 208.74.[redacted] eq 5910

access-list 102 permit tcp any host 208.74.[redacted] eq 6346

access-list 102 permit udp any host 208.74.[redacted] eq 6346

access-list 102 permit udp any host 208.74.[redacted] eq 12346

access-list 102 permit tcp any host 208.74.[redacted] eq 12346

access-list 102 permit tcp any host 208.74.[redacted] eq 12345

access-list 102 permit udp any host 208.74.[redacted] eq 12345

access-list 102 permit udp any host 208.74.[redacted] eq 13853

access-list 102 permit udp any host 208.74.[redacted] eq 13852

access-list 102 permit udp any host 208.74.[redacted] eq 13854

access-list 102 permit udp any host 208.74.[redacted] eq 38341

access-list 102 permit tcp any host 208.74.[redacted] eq 38341

access-list 102 permit tcp any host 208.74.[redacted] eq 13854

access-list 102 permit tcp any host 208.74.[redacted] eq 10001

access-list 102 permit tcp any host 208.74.[redacted] eq 10002

access-list 102 permit tcp any host 208.74.[redacted] eq 6710

access-list 102 permit tcp any host 208.74.[redacted] eq 11888

access-list 102 permit udp any host 208.74.[redacted] eq 4672

access-list 102 permit tcp any host 208.74.[redacted] eq 4662

access-list 102 permit tcp any host 208.74.[redacted] eq 4711

access-list 102 permit tcp any host 208.74.[redacted] eq 10000

access-list 102 permit tcp any host 208.74.[redacted] eq 13852

access-list 102 permit tcp any host 208.74.[redacted] eq 13853

access-list 102 permit tcp any host 208.74.[redacted] eq 12344

access-list 102 permit udp any host 208.74.[redacted] eq 12344

access-list 102 permit tcp any host 208.74.[redacted] eq 3724

access-list 102 permit tcp any host 208.74.[redacted] eq 6112

access-list 102 permit tcp any host 208.74.[redacted] eq 6881

access-list 102 permit tcp any host 208.74.[redacted] eq 6882

access-list 102 permit tcp any host 208.74.[redacted] eq 6883

access-list 102 permit tcp any host 208.74.[redacted] eq 6884

access-list 102 permit tcp any host 208.74.[redacted] eq 6885

access-list 102 permit tcp any host 208.74.[redacted] eq 6886

access-list 102 permit tcp any host 208.74.[redacted] eq 6887

access-list 102 permit tcp any host 208.74.[redacted] eq 6888

access-list 102 permit tcp any host 208.74.[redacted] eq 6889

access-list 102 permit tcp any host 208.74.[redacted] eq 6890

access-list 102 permit tcp any host 208.74.[redacted] eq 6891

access-list 102 permit tcp any host 208.74.[redacted] eq 6892

access-list 102 permit tcp any host 208.74.[redacted] eq 6893

access-list 102 permit tcp any host 208.74.[redacted] eq 6894

access-list 102 permit tcp any host 208.74.[redacted] eq 6895

access-list 102 permit tcp any host 208.74.[redacted] eq 6896

access-list 102 permit tcp any host 208.74.[redacted] eq 6897

access-list 102 permit tcp any host 208.74.[redacted] eq 6898

access-list 102 permit tcp any host 208.74.[redacted] eq 6899

access-list 102 permit tcp any host 208.74.[redacted] eq 6900

access-list 102 permit tcp any host 208.74.[redacted] eq 6901

access-list 102 permit tcp any host 208.74.[redacted] eq 6902

access-list 102 permit tcp any host 208.74.[redacted] eq 6903

access-list 102 permit tcp any host 208.74.[redacted] eq 6904

access-list 102 permit tcp any host 208.74.[redacted] eq 6905

access-list 102 permit tcp any host 208.74.[redacted] eq 6906

access-list 102 permit tcp any host 208.74.[redacted] eq 6907

access-list 102 permit tcp any host 208.74.[redacted] eq 6908

access-list 102 permit tcp any host 208.74.[redacted] eq 6909

access-list 102 permit tcp any host 208.74.[redacted] eq 6910

access-list 102 permit tcp any host 208.74.[redacted] eq 6911

access-list 102 permit tcp any host 208.74.[redacted] eq 6912

access-list 102 permit tcp any host 208.74.[redacted] eq 6913

access-list 102 permit tcp any host 208.74.[redacted] eq 6914

access-list 102 permit tcp any host 208.74.[redacted] eq 6915

access-list 102 permit tcp any host 208.74.[redacted] eq 6916

access-list 102 permit tcp any host 208.74.[redacted] eq 6917

access-list 102 permit tcp any host 208.74.[redacted] eq 6918

access-list 102 permit tcp any host 208.74.[redacted] eq 6919

access-list 102 permit tcp any host 208.74.[redacted] eq 6920

access-list 102 permit tcp any host 208.74.[redacted] eq 6921

access-list 102 permit tcp any host 208.74.[redacted] eq 6922

access-list 102 permit tcp any host 208.74.[redacted] eq 6923

access-list 102 permit tcp any host 208.74.[redacted] eq 6924

access-list 102 permit tcp any host 208.74.[redacted] eq 6925

access-list 102 permit tcp any host 208.74.[redacted] eq 6926

access-list 102 permit tcp any host 208.74.[redacted] eq 6927

access-list 102 permit tcp any host 208.74.[redacted] eq 6928

access-list 102 permit tcp any host 208.74.[redacted] eq 6929

access-list 102 permit tcp any host 208.74.[redacted] eq 6930

access-list 102 permit tcp any host 208.74.[redacted] eq 6931

access-list 102 permit tcp any host 208.74.[redacted] eq 6932

access-list 102 permit tcp any host 208.74.[redacted] eq 6933

access-list 102 permit tcp any host 208.74.[redacted] eq 6934

access-list 102 permit tcp any host 208.74.[redacted] eq 6935

access-list 102 permit tcp any host 208.74.[redacted] eq 6936

access-list 102 permit tcp any host 208.74.[redacted] eq 6937

access-list 102 permit tcp any host 208.74.[redacted] eq 6938

access-list 102 permit tcp any host 208.74.[redacted] eq 6939

access-list 102 permit tcp any host 208.74.[redacted] eq 6940

access-list 102 permit tcp any host 208.74.[redacted] eq 6941

access-list 102 permit tcp any host 208.74.[redacted] eq 6942

access-list 102 permit tcp any host 208.74.[redacted] eq 6943

access-list 102 permit tcp any host 208.74.[redacted] eq 6944

access-list 102 permit tcp any host 208.74.[redacted] eq 6945

access-list 102 permit tcp any host 208.74.[redacted] eq 6946

access-list 102 permit tcp any host 208.74.[redacted] eq 6947

access-list 102 permit tcp any host 208.74.[redacted] eq 6948

access-list 102 permit tcp any host 208.74.[redacted] eq 6949

access-list 102 permit tcp any host 208.74.[redacted] eq 6950

access-list 102 permit tcp any host 208.74.[redacted] eq 6951

access-list 102 permit tcp any host 208.74.[redacted] eq 6952

access-list 102 permit tcp any host 208.74.[redacted] eq 6953

access-list 102 permit tcp any host 208.74.[redacted] eq 6954

access-list 102 permit tcp any host 208.74.[redacted] eq 6955

access-list 102 permit tcp any host 208.74.[redacted] eq 6956

access-list 102 permit tcp any host 208.74.[redacted] eq 6957

access-list 102 permit tcp any host 208.74.[redacted] eq 6958

access-list 102 permit tcp any host 208.74.[redacted] eq 6959

access-list 102 permit tcp any host 208.74.[redacted] eq 6960

access-list 102 permit tcp any host 208.74.[redacted] eq 6961

access-list 102 permit tcp any host 208.74.[redacted] eq 6962

access-list 102 permit tcp any host 208.74.[redacted] eq 6963

access-list 102 permit tcp any host 208.74.[redacted] eq 6964

access-list 102 permit tcp any host 208.74.[redacted] eq 6965

access-list 102 permit tcp any host 208.74.[redacted] eq 6966

access-list 102 permit tcp any host 208.74.[redacted] eq 6967

access-list 102 permit tcp any host 208.74.[redacted] eq 6968

access-list 102 permit tcp any host 208.74.[redacted] eq 6969

access-list 102 permit tcp any host 208.74.[redacted] eq 6970

access-list 102 permit tcp any host 208.74.[redacted] eq 6971

access-list 102 permit tcp any host 208.74.[redacted] eq 6972

access-list 102 permit tcp any host 208.74.[redacted] eq 6973

access-list 102 permit tcp any host 208.74.[redacted] eq 6974

access-list 102 permit tcp any host 208.74.[redacted] eq 6975

access-list 102 permit tcp any host 208.74.[redacted] eq 6976

access-list 102 permit tcp any host 208.74.[redacted] eq 6977

access-list 102 permit tcp any host 208.74.[redacted] eq 6978

access-list 102 permit tcp any host 208.74.[redacted] eq 6979

access-list 102 permit tcp any host 208.74.[redacted] eq 6980

access-list 102 permit tcp any host 208.74.[redacted] eq 6981

access-list 102 permit tcp any host 208.74.[redacted] eq 6982

access-list 102 permit tcp any host 208.74.[redacted] eq 6983

access-list 102 permit tcp any host 208.74.[redacted] eq 6984

access-list 102 permit tcp any host 208.74.[redacted] eq 6985

access-list 102 permit tcp any host 208.74.[redacted] eq 6986

access-list 102 permit tcp any host 208.74.[redacted] eq 6987

access-list 102 permit tcp any host 208.74.[redacted] eq 6988

access-list 102 permit tcp any host 208.74.[redacted] eq 6989

access-list 102 permit tcp any host 208.74.[redacted] eq 6990

access-list 102 permit tcp any host 208.74.[redacted] eq 6991

access-list 102 permit tcp any host 208.74.[redacted] eq 6992

access-list 102 permit tcp any host 208.74.[redacted] eq 6993

access-list 102 permit tcp any host 208.74.[redacted] eq 6994

access-list 102 permit tcp any host 208.74.[redacted] eq 6995

access-list 102 permit tcp any host 208.74.[redacted] eq 6996

access-list 102 permit tcp any host 208.74.[redacted] eq 6997

access-list 102 permit tcp any host 208.74.[redacted] eq 6998

access-list 102 permit tcp any host 208.74.[redacted] eq 6999

access-list 102 permit udp host 208.67.222.222 eq domain host 208.74.[redacted]

access-list 102 permit udp host 208.67.220.220 eq domain host 208.74.[redacted]

access-list 102 permit ip any any

access-list 2051 remark Auto generated by SDM Management Access feature

access-list 2051 remark SDM_ACL Category=1

access-list 2051 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq telnet

access-list 2051 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq 22

access-list 2051 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq www

access-list 2051 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq 443

access-list 2051 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq cmd

access-list 2051 deny   tcp any host 192.168.1.1 eq telnet

access-list 2051 deny   tcp any host 192.168.1.1 eq 22

access-list 2051 deny   tcp any host 192.168.1.1 eq www

access-list 2051 deny   tcp any host 192.168.1.1 eq 443

access-list 2051 deny   tcp any host 192.168.1.1 eq cmd

access-list 2051 deny   udp any host 192.168.1.1 eq snmp

access-list 2051 permit ip any any

no cdp run

!

!

!

!

control-plane

!

banner exec ^CCCCCCCCCCCCCCCCCCC

% Password expiration warning.

-----------------------------------------------------------------------

 

Cisco Router and Security Device Manager (SDM) is installed on this device and

it provides the default username "cisco" for  one-time use. If you have already

used the username "cisco" to login to the router and your IOS image supports the

"one-time" user option, then this username has already expired. You will not be

able to login to the router with this username after you exit this session.

 

It is strongly suggested that you create a new username with a privilege level

of 15 using the following command.

 

username <myuser> privilege 15 secret 0 <mypassword>

 

Replace <myuser> and <mypassword> with the username and password you want to

use.

 

-----------------------------------------------------------------------

^C

banner login ^CCCCCCCCCCCCCCCCCCCAuthorized access only!

 Disconnect IMMEDIATELY if you are not an authorized user!^C

!

line con 0

 login authentication local_authen

 no modem enable

 transport output telnet

line aux 0

 login authentication local_authen

 transport output telnet

line vty 0 4

 access-class 102 in

 authorization exec local_author

 login authentication local_authen

 transport input telnet ssh

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

ntp clock-period 17175088

ntp server 129.6.15.28 source FastEthernet4 prefer

end



0
 
LVL 3

Expert Comment

by:uniplast
ID: 34182614
Akahan, as I can see you're not familiar with the Cisco CLI.
I think that this document will help a lot.
All you can do through the CCA.
CCA can for free download from the Cisco site


SBCS-Teleworker-using-871W-ISR-3.pdf
0
 
LVL 26

Author Comment

by:akahan
ID: 34184476
uniplast,

That's not really very helpful, since the system described in that document involves another piece of hardware, a UC520, and it's the UC520 that seems to have the critical configuration option, "Enable internet access on remote site."

0
 
LVL 5

Expert Comment

by:BooSTid
ID: 34189424
Are you trying to access devices that have static nat's? Are you able to ping anything that does not have a static nat?

On you cisco vpn client, go to status menu, click statistics... on the route details tab, what are the secured routes?

Your ACL's and static NAT's are gigantic...
0
 
LVL 26

Author Comment

by:akahan
ID: 34189700
Hi -

I know, the ACL's and static NATs are gigantic.  :(   Each device on my network is assigned a static nat, so I "always know where it is," and the DHCP pool is limited to the number of devices for which there are static nats, so no device can join the network without me knowing about it and assigning a static nat to it.

The ACL's are big, too, because a bunch of ports have to be forwarded for eMule and the like.

I'm not actually interested in accessing ANY devices on the network via the VPN.  The ONLY thing I want the VPN to do is allow me to connect to the router from outside the network (e.g., a coffee shop) and relay internet communications through the router, so that I have a secure internet connection from the coffee shop.

Attached is a screenshot of the route details tab in the Cisco vpn client... it DOES seem that this is the problem, actually, or part of it.
 Route table
0
 
LVL 5

Expert Comment

by:BooSTid
ID: 34189798
The only traffic that's going to be encrypted is the traffic that traverses the tunnel. I don't think this is going to accomplish what you want it to accomplish the way you have it configured. When I initially responded to your post, I apparently missed the fact that you want all of your internet traffic to relay through your router...

Anyway, you're going to have to do a loopback config that creates a "router on a stick" topology.

This should cover everything:

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a008073b06b.shtml

As for your current config; your interesting traffic isn't defined correctly, and isn't being passed to your client. If you do "show crypto ipsec sa", you'll probably see encaps but no decaps, which indicates one-way traffic. Probably not worth fixing though, since your whole configuration is going to change.
0
 
LVL 26

Author Comment

by:akahan
ID: 34190359
Thanks very much.  So here's my plan:  I'll get rid of all the stuff in my current configuration that was inserted to set up the VPN, and keep my current LAN address range of 192.168.1.XXX, and then add the VPN in the manner described by the document you've referred me to.

I have a few questions about particular lines in that document:

"!--- Apply the crypto map on the interface.

interface FastEthernet1/0
 ip address 172.16.1.1 255.255.255.0"

Would I want to substitute my router's WAN address in place of 172.16.1.1?  Or is that something else?
-------
!--- Create a pool of addresses to be
!--- assigned to the VPN Clients.


!
ip local pool ippool 192.168.1.1 192.168.1.2
ip http server
no ip http secure-server

Is this right, given that my existing LAN is in the 192.168.1.XXX range?  Would I just omit this section, since I already have an internal LAN defined?  The "network diagram" that appears at the top of the document you've referred me to doesn't mention a 192.168....  network at all, so I'm not sure how this fits in.
------------------------

Thanks!  I really appreciate your patience with me, and with this.  If I get it working, I wish there was a way to award 2,000 points.

0
 
LVL 5

Accepted Solution

by:
BooSTid earned 500 total points
ID: 34191339
To apply the crypto map to an interface, you just get to that interfaces config, and use the 'crypto map xxxxx' command

You'll need to substitute your own addressing of course. There's a disclaimer at the top of the config example that kind of alludes to this...

"Note: The IP addressing schemes used in this configuration are not legally routable on the Internet. They are RFC 1918 leavingcisco.com addresses which have been used in a lab environment. "

You can use whatever you like for IP addressing in each of the sections; the only stipulation is that it needs to match up with your interesting traffic acl's, and any acl's you use for a nonat routemap (if applicable). I like to write up my config in notepad++ before I apply it to kind of go through my addressing and acl's to make sure everything matches up the way I want it to. After that, you can usually just copy+paste it into the config prompt.

0
 
LVL 26

Author Comment

by:akahan
ID: 34219246
Working on it, sorry for the delay, will keep you posted...
0
 
LVL 26

Author Closing Comment

by:akahan
ID: 34245838
I expect your solution is probably right...but I ended up installing OpenVPN (free!) on an unused laptop I have sitting around, and that gave me a VPN of exactly the type I want in minutes, no fuss, no muss.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now