A_Walsh
asked on
Dropped Ping Randomness
We currently have two Cisco 1800s Routers. Setup on each is a site-to-site vpn
This works fine but about twice a week the connection starts dropping every other packet, the only way to resolve the issue is by a reboot of ROUTER B in the remote location or just wait for the connection to sort its self out. Which can be anywhere from 15mins to a few hours.
Below is a Running config of each router. ROUTER A being the local and ROUTER B being the remote.
Thanks
This works fine but about twice a week the connection starts dropping every other packet, the only way to resolve the issue is by a reboot of ROUTER B in the remote location or just wait for the connection to sort its self out. Which can be anywhere from 15mins to a few hours.
Below is a Running config of each router. ROUTER A being the local and ROUTER B being the remote.
Thanks
ROUTER A
Building configuration...
Current configuration : 27366 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Hixon_Acc
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 $1$I3m7$6GZtaBYC3hpdcIPjCQ36I.
!
aaa new-model
!
!
aaa group server radius sdm-vpn-server-group-1
server 10.0.0.251 auth-port 1645 acct-port 1646
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authentication login sdm_vpn_xauth_ml_3 passwd-expiry group sdm-vpn-server-group-1
aaa authentication login sdm_vpn_xauth_ml_4 group radius
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network sdm_vpn_group_ml_2 local
aaa authorization network sdm_vpn_group_ml_3 local
!
!
aaa session-id common
clock timezone PCTime 0
!
crypto pki trustpoint TP-self-signed-2370942559
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2370942559
revocation-check none
rsakeypair TP-self-signed-2370942559
!
!
crypto pki certificate chain TP-self-signed-2370942559
certificate self-signed 01
3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32333730 39343235 3539301E 170D3039 30333235 30383235
32325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 33373039
34323535 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100DD55 82377F7D B7C3D59C 3323EE63 0EAB4FE9 F1E3BDAE A28CC418 106D62F1
60A771B1 2E5C6917 A4373AE5 52B3127C 1F8FF92C D7181EA6 31355D64 492783FD
09D05B09 11D4726B 904FE3F4 0745BA36 37A534C0 88E32355 74CE2871 B7C12345
709A16C8 FC659688 8C519CB7 E996B51F 43DCF5BC F8A33675 936D78D4 D9AF06F0
87E30203 010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603
551D1104 17301582 13486978 6F6E5F41 63632E61 6C652E6C 6F63616C 301F0603
551D2304 18301680 142F8E0F 96A01EDC DF051F32 E09D52A4 6A6C807A 71301D06
03551D0E 04160414 2F8E0F96 A01EDCDF 051F32E0 9D52A46A 6C807A71 300D0609
2A864886 F70D0101 04050003 8181008E 68F7F65A EDAC4588 59EB9C7C B28BA170
6AC10203 38CCA444 46E00AEE DC07B277 BF454B99 B9555483 CA9B0439 E7F99036
21CE2873 AEBF19B7 9B13EF7C FAE4F445 032EA2FB C109507A EF477D1B 71742F83
FDF862CE 6267C7FB FD615F6A 50849BEC D2BF1DB9 2019624C 7F417EB3 0C59A030
36715780 873DC203 5047A247 587C4C
quit
dot11 syslog
no ip source-route
!
!
ip cef
!
!
no ip bootp server
ip domain name ale.local
ip name-server 10.0.0.251
ip name-server 213.120.104.241
ip ddns update method sdm_ddns1
DDNS both
!
ip ddns update method sdm_ddns2
DDNS both
!
!
multilink bundle-name authenticated
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com
parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com
parameter-map type regex sdm-regex-nonascii
pattern [^\x00-\x80]
!
!
username Admin privilege 15 secret 5 $1$C/sD$kokxW.L25eXnoMeOk88uU/
username test secret 5 $1$.ACo$dkQI8o1b53N2HsIT6cuho.
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
crypto isakmp key A3LH34VY11FT address 60.52.250.73
crypto isakmp key A3LH34VY11FT address 212.241.41.58
crypto isakmp key Ent3rpr1se address 62.6.166.2
crypto isakmp fragmentation
!
crypto isakmp client configuration group ALE_HALL
key Ent3rpr1se
dns 10.0.0.251
domain ALE.local
pool SDM_POOL_2
acl 109
include-local-lan
max-users 90
banner ^CCWelcome to Abnormal Load Engineering ^C
crypto isakmp profile sdm-ike-profile-1
match identity group ALE_HALL
client authentication list sdm_vpn_xauth_ml_3
isakmp authorization list sdm_vpn_group_ml_3
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA5 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA6 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA7 esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set security-association idle-time 7140
set transform-set ESP-3DES-SHA3
set isakmp-profile sdm-ike-profile-1
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to60.52.250.73
set peer 60.52.250.73
set transform-set ESP-3DES-SHA2
match address 102
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel to212.241.41.58
set peer 212.241.41.58
set transform-set ESP-3DES-SHA6
match address 117
crypto map SDM_CMAP_1 3 ipsec-isakmp
description Tunnel to62.6.166.2
set peer 62.6.166.2
set transform-set ESP-3DES-SHA7
match address 119
!
crypto ctcp port 10000
archive
log config
hidekeys
!
!
!
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
match access-group 104
class-map type inspect smtp match-any sdm-app-smtp
match data-length gt 5000000
class-map type inspect match-all sdm-cls-VPNOutsideToInside-3
match access-group 111
class-map type inspect match-all sdm-cls-VPNOutsideToInside-2
match access-group 107
class-map type inspect match-all sdm-cls-VPNOutsideToInside-5
match access-group 115
class-map type inspect match-any ICMP
match protocol icmp
class-map type inspect match-all sdm-cls-sdm-pol-NATOutsideToInside-1-3
match class-map ICMP
match access-group name ICMP
class-map type inspect http match-any sdm-app-nonascii
match req-resp header regex sdm-regex-nonascii
class-map type inspect match-all sdm-nat-http-1
match access-group 101
match protocol ftp
match access-group name FTP
class-map type inspect match-all sdm-cls-VPNOutsideToInside-4
match access-group 113
class-map type inspect match-any HTTPS
match protocol http
match protocol https
match protocol snmp
match protocol snmptrap
class-map type inspect match-all sdm-cls-sdm-pol-NATOutsideToInside-1-2
match class-map HTTPS
match access-group name HTTPS
class-map type inspect match-any EXCHANGE
match protocol http
match protocol https
match protocol smtp
match protocol icmp
class-map type inspect match-all sdm-cls-sdm-pol-NATOutsideToInside-1-1
match class-map EXCHANGE
match access-group name Exchange
class-map type inspect match-all sdm-cls-VPNOutsideToInside-7
match access-group 118
class-map type inspect match-all sdm-cls-VPNOutsideToInside-6
match access-group 116
class-map type inspect match-all sdm-cls-VPNOutsideToInside-8
match access-group 120
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect imap match-any sdm-app-imap
match invalid-command
class-map type inspect match-any sdm-cls-protocol-p2p
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect match-any sdm-cls-insp-traffic
match protocol dns
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_VPN_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_VPN_PT
match access-group 103
match class-map SDM_VPN_TRAFFIC
class-map type inspect match-any VPN
match protocol gdoi
match protocol isakmp
match protocol ipsec-msft
match protocol ssp
match protocol tcp
match protocol udp
match protocol pptp
match protocol dns
match protocol icmp
match protocol citrix
match protocol citriximaclient
match protocol ica
match protocol icabrowser
class-map type inspect match-all sdm-cls--3
match class-map VPN
match access-group name vpn
class-map type inspect match-all sdm-cls--2
match class-map VPN
match access-group name vpn
class-map type inspect match-all sdm-cls--1
match class-map VPN
match access-group name vpn
class-map type inspect match-any SDM-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any SDM_IP
match access-group name SDM_IP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
match class-map SDM_EASY_VPN_SERVER_TRAFFIC
class-map type inspect match-all sdm-cls--4
match class-map VPN
class-map type inspect match-all SDM_VPN_PT0
match access-group 106
match class-map SDM_VPN_TRAFFIC
class-map type inspect match-all SDM_VPN_PT1
match access-group 110
match class-map SDM_VPN_TRAFFIC
class-map type inspect match-all sdm-protocol-pop3
match protocol pop3
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any sdm-cls-protocol-im
match protocol msnmsgr msn-servers
match protocol aol aol-servers
match protocol ymsgr
class-map type inspect match-any sdm-service-sdm-inspect-1
match protocol http
match protocol https
match protocol snmp
match protocol snmptrap
class-map type inspect match-any FTP
match protocol ftp
class-map type inspect match-all sdm-cls-sdm-inspect-1
match class-map FTP
match access-group name FTP
class-map type inspect pop3 match-any sdm-app-pop3
match invalid-command
class-map type inspect match-all sdm-protocol-p2p
match class-map sdm-cls-protocol-p2p
class-map type inspect http match-any sdm-http-blockparam
match request port-misuse im
match request port-misuse p2p
match request port-misuse tunneling
class-map type inspect match-all sdm-protocol-im
match class-map sdm-cls-protocol-im
class-map type inspect match-all sdm-icmp-access
match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-invalid-src
match access-group 100
class-map type inspect http match-any sdm-app-httpmethods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method connect
match request method copy
match request method delete
match request method edit
match request method getattribute
match request method getattributenames
match request method getproperties
match request method index
match request method lock
match request method mkcol
match request method mkdir
match request method move
match request method notify
match request method options
match request method poll
match request method post
match request method propfind
match request method proppatch
match request method put
match request method revadd
match request method revlabel
match request method revlog
match request method revnum
match request method save
match request method search
match request method setattribute
match request method startrev
match request method stoprev
match request method subscribe
match request method trace
match request method unedit
match request method unlock
match request method unsubscribe
class-map type inspect match-all sdm-protocol-http
match class-map sdm-service-sdm-inspect-1
class-map type inspect match-all sdm-protocol-smtp
match protocol smtp
class-map type inspect match-all sdm-protocol-imap
match protocol imap
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect sdm-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-cls-sdm-pol-NATOutsideToInside-1-3
inspect
class type inspect sdm-cls-sdm-pol-NATOutsideToInside-1-2
inspect
class type inspect sdm-cls-sdm-pol-NATOutsideToInside-1-1
inspect
class type inspect sdm-nat-http-1
inspect
class type inspect sdm-cls-VPNOutsideToInside-1
inspect
class type inspect sdm-cls-VPNOutsideToInside-3
inspect
class type inspect sdm-cls-VPNOutsideToInside-5
inspect
class type inspect sdm-cls-VPNOutsideToInside-6
pass
class type inspect sdm-cls-VPNOutsideToInside-7
inspect
class type inspect sdm-cls-VPNOutsideToInside-8
inspect
class class-default
drop
policy-map type inspect imap sdm-action-imap
class type inspect imap sdm-app-imap
log
reset
class class-default
policy-map type inspect pop3 sdm-action-pop3
class type inspect pop3 sdm-app-pop3
log
reset
class class-default
policy-map type inspect sdm-inspect
class type inspect sdm-cls-sdm-inspect-1
inspect
class type inspect sdm-invalid-src
drop
class type inspect sdm-protocol-http
inspect
class type inspect sdm-protocol-smtp
inspect
class type inspect sdm-protocol-imap
inspect
service-policy imap sdm-action-imap
class type inspect sdm-protocol-pop3
inspect
service-policy pop3 sdm-action-pop3
class type inspect sdm-protocol-im
inspect
class type inspect sdm-insp-traffic
inspect
class type inspect SDM-Voice-permit
inspect
class class-default
pass
policy-map type inspect http sdm-action-app-http
class type inspect http sdm-http-blockparam
log
reset
class type inspect http sdm-app-httpmethods
log
allow
class type inspect http sdm-app-nonascii
log
reset
class class-default
policy-map type inspect sdm-permit
class type inspect SDM_VPN_PT1
pass
class type inspect SDM_EASY_VPN_SERVER_PT
pass
class class-default
policy-map type inspect sdm-policy-sdm-cls--4
class type inspect sdm-cls--4
pass
class class-default
policy-map type inspect sdm-permit-ip
class type inspect SDM_IP
pass
class type inspect sdm-cls-VPNOutsideToInside-3
inspect
class type inspect sdm-cls-VPNOutsideToInside-4
inspect
class class-default
drop log
policy-map type inspect smtp sdm-action-smtp
class type inspect smtp sdm-app-smtp
reset
class class-default
!
zone security 1
zone security VPN
zone security vpn
zone security ezvpn-zone
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-VPN-1 source VPN destination 1
service-policy type inspect sdm-policy-sdm-cls--4
zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
!
!
!
interface Loopback0
no ip address
!
interface FastEthernet0
description $ETH-LAN$
ip address 62.6.248.98 255.255.255.240
ip access-group I2E in
ip access-group E2I out
ip nat outside
ip virtual-reassembly
zone-member security out-zone
ip route-cache flow
speed 100
full-duplex
crypto map SDM_CMAP_1
!
interface BRI0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation hdlc
ip route-cache flow
shutdown
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.6 point-to-point
shutdown
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 2
!
!
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet0
zone-member security ezvpn-zone
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
crypto ipsec df-bit clear
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$$ES_LAN$$FW_INSIDE$
ip address 10.0.0.230 255.255.255.0
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip route-cache flow
!
interface Dialer5
description $FW_OUTSIDE$
ip address negotiated
ip access-group I2E in
ip access-group E2I out
ip nat outside
ip virtual-reassembly
zone-member security out-zone
encapsulation ppp
shutdown
dialer pool 2
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname B458315@hg43.btclick.com
ppp chap password 7 11081B0B1800060D082624252C6364
ppp pap sent-username B458315@hg43.btclick.com password 7 141610050316272A28243C34264356
!
interface Dialer6
no ip address
shutdown
no cdp enable
!
interface Dialer1
ip ddns update sdm_ddns1
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
shutdown
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname B458315@hg43.btclick.com
ppp chap password 7 045A09080033414F05150A16165B5D
ppp pap sent-username B458315@hg43.btclick.com password 7 094D4C0716171A1307000B2B2F7479
!
ip local pool SDM_POOL_1 10.1.8.1 10.1.8.50
ip local pool SDM_POOL_2 10.1.6.0 10.1.6.100
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet0
!
ip flow-top-talkers
top 5
sort-by bytes
cache-timeout 500
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 10.0.0.228 80 interface FastEthernet0 80
ip nat inside source static tcp 10.0.0.228 443 interface FastEthernet0 443
ip nat inside source static tcp 10.0.0.242 21 interface FastEthernet0 21
ip nat inside source static tcp 10.0.0.242 20 interface FastEthernet0 20
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload
ip nat inside source static 10.0.0.219 62.6.248.99
!
ip access-list extended E2I
remark SDM_ACL Category=1
permit ip any any
ip access-list extended Exchange
remark SDM_ACL Category=128
permit ip any host 10.0.0.219
ip access-list extended FTP
remark SDM_ACL Category=128
permit ip any any
ip access-list extended HTTPS
remark SDM_ACL Category=128
permit ip any any
ip access-list extended I2E
remark SDM_ACL Category=1
remark IPSec Rule
permit ip 192.168.128.0 0.0.0.255 10.0.0.0 0.0.0.255
permit udp host 62.6.166.2 host 62.6.248.98 eq non500-isakmp
permit udp host 62.6.166.2 host 62.6.248.98 eq isakmp
permit esp host 62.6.166.2 host 62.6.248.98
permit ahp host 62.6.166.2 host 62.6.248.98
remark IPSec Rule
permit ip 172.16.205.0 0.0.0.255 10.0.0.0 0.0.0.255
permit udp host 212.241.41.58 host 62.6.248.98 eq non500-isakmp
permit udp host 212.241.41.58 host 62.6.248.98 eq isakmp
permit esp host 212.241.41.58 host 62.6.248.98
permit ahp host 212.241.41.58 host 62.6.248.98
permit ip any host 62.6.248.98
remark IPSec Rule
permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.0.255
permit udp host 60.52.250.73 host 62.6.248.98 eq non500-isakmp
permit udp host 60.52.250.73 host 62.6.248.98 eq isakmp
permit esp host 60.52.250.73 host 62.6.248.98
permit ahp host 60.52.250.73 host 62.6.248.98
permit tcp any any eq www
permit udp host 213.120.104.241 eq domain any
permit ip any any
ip access-list extended ICMP
remark SDM_ACL Category=128
permit ip any any
ip access-list extended SDM_AH
remark SDM_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark SDM_ACL Category=1
permit esp any any
ip access-list extended SDM_IP
remark SDM_ACL Category=1
permit ip any any
ip access-list extended any
remark SDM_ACL Category=4
permit ip any any
ip access-list extended vpn
remark SDM_ACL Category=128
permit ip any any
!
ip radius source-interface Vlan1
logging trap debugging
logging 10.0.0.41
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark SDM_ACL Category=0
access-list 101 permit ip any host 10.0.0.242
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 103 remark SDM_ACL Category=128
access-list 103 permit ip host 60.52.250.73 any
access-list 104 remark SDM_ACL Category=0
access-list 104 remark IPSec Rule
access-list 104 permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 105 remark SDM_ACL Category=2
access-list 105 remark IPSec Rule
access-list 105 deny ip 10.0.0.0 0.0.0.255 192.168.128.0 0.0.0.255
access-list 105 remark IPSec Rule
access-list 105 deny ip 10.0.0.0 0.0.0.255 172.16.205.0 0.0.0.255
access-list 105 remark IPSec Rule
access-list 105 deny ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 105 permit ip 10.0.0.0 0.0.0.255 any
access-list 106 remark SDM_ACL Category=128
access-list 106 permit ip host 60.52.250.73 any
access-list 107 remark SDM_ACL Category=0
access-list 107 remark IPSec Rule
access-list 107 permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 108 remark SDM_ACL Category=4
access-list 108 permit ip 10.0.0.0 0.0.0.255 any
access-list 108 permit ip 192.168.128.0 0.0.0.255 any
access-list 109 remark SDM_ACL Category=4
access-list 109 permit ip 10.0.0.0 0.0.0.255 any
access-list 110 remark SDM_ACL Category=128
access-list 110 permit ip host 60.52.250.73 any
access-list 110 permit ip host 212.241.41.58 any
access-list 110 permit ip host 62.6.166.2 any
access-list 111 remark SDM_ACL Category=0
access-list 111 remark IPSec Rule
access-list 111 permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 112 remark SDM_ACL Category=4
access-list 112 remark IPSec Rule
access-list 112 permit ip 62.6.248.96 0.0.0.15 212.241.41.56 0.0.0.7
access-list 113 remark SDM_ACL Category=0
access-list 113 remark IPSec Rule
access-list 113 permit ip 212.241.41.56 0.0.0.7 62.6.248.96 0.0.0.15
access-list 113 remark IPSec Rule
access-list 113 permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 114 remark SDM_ACL Category=4
access-list 114 remark IPSec Rule
access-list 114 permit ip 10.0.0.0 0.0.0.255 172.16.205.0 0.0.0.255
access-list 115 remark SDM_ACL Category=0
access-list 115 remark IPSec Rule
access-list 115 permit ip 172.16.205.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 115 remark IPSec Rule
access-list 115 permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 116 remark SDM_ACL Category=0
access-list 116 remark IPSec Rule
access-list 116 permit ip 172.16.205.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 116 remark IPSec Rule
access-list 116 permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 117 remark SDM_ACL Category=4
access-list 117 remark IPSec Rule
access-list 117 permit ip 10.0.0.0 0.0.0.255 172.16.205.0 0.0.0.255
access-list 118 remark SDM_ACL Category=0
access-list 118 remark IPSec Rule
access-list 118 permit ip 172.16.205.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 118 remark IPSec Rule
access-list 118 permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 119 remark SDM_ACL Category=4
access-list 119 remark IPSec Rule
access-list 119 permit ip 10.0.0.0 0.0.0.255 192.168.128.0 0.0.0.255
access-list 120 remark SDM_ACL Category=0
access-list 120 remark IPSec Rule
access-list 120 permit ip 192.168.128.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 120 remark IPSec Rule
access-list 120 permit ip 172.16.205.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 120 remark IPSec Rule
access-list 120 permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 105
!
!
!
radius-server host 10.0.0.251 auth-port 1645 acct-port 1646 timeout 30 key 7 1436412724577E1D1D79621316
!
control-plane
!
banner exec ^CC
% Password expiration warning.
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device and
it provides the default username "cisco" for one-time use. If you have already
used the username "cisco" to login to the router and your IOS image supports the
"one-time" user option, then this username has already expired. You will not be
able to login to the router with this username after you exit this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you want to
use.
-----------------------------------------------------------------------
^C
banner login ^CCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
transport output telnet
line aux 0
transport output telnet
line vty 0 4
transport input telnet ssh
line vty 5 15
transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
!
webvpn gateway gateway_1
ip address 62.6.248.98 port 443
http-redirect port 80
ssl trustpoint TP-self-signed-2370942559
inservice
!
webvpn context ALE_SSL
secondary-color white
title-color #669999
text-color black
ssl authenticate verify all
!
!
policy group policy_1
functions svc-enabled
svc address-pool "SDM_POOL_2"
svc default-domain "ale.local"
svc keep-client-installed
svc dns-server primary 10.0.0.251
default-group-policy policy_1
aaa authentication list sdm_vpn_xauth_ml_4
gateway gateway_1 domain ale.local
inservice
!
end
Router B
Current configuration : 13267 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname ALE-MB
!
boot-start-marker
boot system flash:c180x-advipservicesk9-mz.124-15.T7.bin
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 $1$2nV1$/6FemaJnKHpXyJDwXpKYy/
!
clock timezone PCTime 0
!
crypto pki trustpoint TP-self-signed-2370942559
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2370942559
revocation-check none
rsakeypair TP-self-signed-2370942559
!
!
crypto pki certificate chain TP-self-signed-2370942559
certificate self-signed 01
30820248 308201B1 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32333730 39343235 3539301E 170D3131 30383031 31303139
34305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 33373039
34323535 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100FC3B 4598A786 5CA16510 8320B9E9 6FBBDAD6 1ADCF0F4 60A920E2 8DB19ED9
5209B520 F52CB3BB 157AF9E8 AD71FE7A BB902DDB 59554883 E077F105 58B4AF28
7424F3B7 85859B4E 4A87726B B53D7C4B 63CC82E5 6EF397B3 85BD8D54 30F784B3
C057C705 CAEFD8D7 412D33E1 89162AE8 22689D76 E45BE428 5FC0EB87 B110053A
63650203 010001A3 70306E30 0F060355 1D130101 FF040530 030101FF 301B0603
551D1104 14301282 10414C45 2D4D422E 616C652E 6C6F6361 6C301F06 03551D23
04183016 80144AC4 C8F457DD 7334E472 9F702396 0CAA250C 71A1301D 0603551D
0E041604 144AC4C8 F457DD73 34E4729F 7023960C AA250C71 A1300D06 092A8648
86F70D01 01040500 03818100 6C431F15 955CCE88 81BC6C93 71D49482 65FF5537
EE509A94 CBCA9586 EA1B3221 5A2F33EF DE9849A5 A11C08D1 4B1A0AA3 9B4DD883
9F8C6BFF 31208B61 55812594 6C71FE5D 4EAEC29D 683B508B 61C944A9 BB47CBDB
7189CC42 E3BBA92D 941E4155 50B913E9 3D6CA515 3B9956E7 FE6F605C CDC02126
5646C695 CA06284E 890DD43D
quit
dot11 syslog
no ip source-route
!
!
ip cef
!
!
no ip bootp server
ip domain list word
ip domain name ale.local
ip name-server 192.168.128.5
!
multilink bundle-name authenticated
!
!
username Admin privilege 15 secret 5 $1$QCTD$AR81NeLYDv9UVS99DGn4E/
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key Ent3rpr1se address 62.6.248.98
crypto isakmp invalid-spi-recovery
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec df-bit clear
!
crypto ipsec profile SDM_Profile1
set security-association idle-time 28800
set transform-set ESP-3DES-SHA
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to62.6.248.98
set peer 62.6.248.98
set transform-set ESP-3DES-SHA
match address 101
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
match access-group 103
class-map type inspect match-all sdm-cls-VPNOutsideToInside-3
match access-group 106
class-map type inspect match-all sdm-cls-VPNOutsideToInside-2
match access-group 105
class-map type inspect match-all sdm-cls-VPNOutsideToInside-4
match access-group 107
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_VPN_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
match protocol udp
match protocol tcp
class-map type inspect match-all SDM_VPN_PT
match access-group 102
match class-map SDM_VPN_TRAFFIC
class-map type inspect match-any ICMP
match protocol icmp
class-map type inspect match-any SDM-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map match-any SDM-Transactional-1
match dscp af21
match dscp af22
match dscp af23
class-map match-any SDM-Signaling-1
match dscp cs3
match dscp af31
class-map match-any SDM-Routing-1
match dscp cs6
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any sdm-service-sdm-inspect-1
match protocol http
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
match access-group 103
class-map type inspect match-all sdm-cls-VPNOutsideToInside-3
match access-group 106
class-map type inspect match-all sdm-cls-VPNOutsideToInside-2
match access-group 105
class-map type inspect match-all sdm-cls-VPNOutsideToInside-4
match access-group 107
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_VPN_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
match protocol udp
match protocol tcp
class-map type inspect match-all SDM_VPN_PT
match access-group 102
match class-map SDM_VPN_TRAFFIC
class-map type inspect match-any ICMP
match protocol icmp
class-map type inspect match-any SDM-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map match-any SDM-Transactional-1
match dscp af21
match dscp af22
match dscp af23
class-map match-any SDM-Signaling-1
match dscp cs3
match dscp af31
class-map match-any SDM-Routing-1
match dscp cs6
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any sdm-service-sdm-inspect-1
match protocol http
pass
class type inspect sdm-cls-VPNOutsideToInside-3
pass
class type inspect sdm-cls-VPNOutsideToInside-4
inspect
class class-default
policy-map type inspect sdm-permit
class type inspect SDM_VPN_PT
pass
class type inspect sdm-cls-sdm-permit-1
inspect
class class-default
pass
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
zone-pair security sdm-zp-out-zone-in-zone source out-zone destination in-zone
service-policy type inspect sdm-policy-VID
!
!
!
interface FastEthernet0
description $FW_OUTSIDE$$ETH-WAN$
ip address 62.6.166.2 255.255.255.240
ip nat outside
ip virtual-reassembly
zone-member security out-zone
ip route-cache flow
speed 100
full-duplex
crypto map SDM_CMAP_1
service-policy output SDM-QoS-Policy-1
!
interface BRI0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation hdlc
ip route-cache flow
shutdown
!
interface FastEthernet1
duplex full
speed 100
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$$ES_LAN$$FW_INSIDE$
ip address 192.168.128.230 255.255.255.0
no ip redirects
no ip unreachables
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip route-cache flow
ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet0 permanent
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 192.168.128.240 80 interface FastEthernet0 80
ip nat inside source static tcp 192.168.128.240 161 interface FastEthernet0 161
ip nat inside source static tcp 192.168.128.240 162 interface FastEthernet0 162
ip nat inside source static tcp 192.168.128.240 443 interface FastEthernet0 443
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload
!
ip access-list extended OUT2IN
remark SDM_ACL Category=1
permit ip any any
ip access-list extended SDM_AH
remark SDM_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark SDM_ACL Category=1
permit esp any any
ip access-list extended VC
remark SDM_ACL Category=128
permit ip any host 192.168.128.240
ip access-list extended any
remark SDM_ACL Category=4
permit ip any any
ip access-list extended icmp
remark SDM_ACL Category=128
permit ip any any
ip access-list extended mb-hx
remark SDM_ACL Category=128
permit ip 192.168.128.0 0.0.0.255 10.0.0.0 0.0.0.255
!
logging trap debugging
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.128.0 0.0.0.255
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark SDM_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.128.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 101 remark ICMP
access-list 101 permit icmp 192.168.128.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 102 remark SDM_ACL Category=128
access-list 102 permit ip host 62.6.248.98 any
access-list 103 remark SDM_ACL Category=0
access-list 103 remark IPSec Rule
access-list 103 permit ip 10.0.0.0 0.0.0.255 192.168.128.0 0.0.0.255
access-list 104 remark SDM_ACL Category=2
access-list 104 remark ICMP
access-list 104 deny icmp 192.168.128.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 104 remark IPSec Rule
access-list 104 deny ip 192.168.128.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 104 permit ip 192.168.128.0 0.0.0.255 any
access-list 104 remark IPSec Rule
access-list 104 deny ip 192.168.128.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 104 permit ip 192.168.128.0 0.0.0.255 any
access-list 105 remark SDM_ACL Category=0
access-list 105 remark IPSec Rule
access-list 105 permit ip 10.0.0.0 0.0.0.255 192.168.128.0 0.0.0.255
access-list 105 remark ICMP
access-list 105 permit icmp 10.0.0.0 0.0.0.255 192.168.128.0 0.0.0.255
access-list 106 remark SDM_ACL Category=0
access-list 106 remark IPSec Rule
access-list 106 permit ip 10.0.0.0 0.0.0.255 192.168.128.0 0.0.0.255
access-list 106 remark ICMP
access-list 106 permit icmp 10.0.0.0 0.0.0.255 192.168.128.0 0.0.0.255
access-list 107 remark SDM_ACL Category=0
access-list 107 remark IPSec Rule
access-list 107 permit ip 10.0.0.0 0.0.0.255 192.168.128.0 0.0.0.255
access-list 107 remark ICMP
access-list 107 permit icmp 10.0.0.0 0.0.0.255 192.168.128.0 0.0.0.255
no cdp run
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 104
!
!
!
!
control-plane
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device and
it provides the default username "cisco" for one-time use. If you have already
used the username "cisco" to login to the router and your IOS image supports the
"one-time" user option, then this username has already expired. You will not be
able to login to the router with this username after you exit this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you want to
use.
-----------------------------------------------------------------------
^C
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
end
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.