ProTech-Online.com
This is an example of a running configuration for a 1811 IPSEC VPN spoke.
!This is the running config of the
router: 192.168.250.1
!----------------------------------------------------------------------------
!version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname PARouter
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
no logging buffered
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-145767206
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-145767206
revocation-check none
rsakeypair TP-self-signed-145767206
!
!
crypto pki certificate chain
TP-self-signed-145767206
certificate self-signed
01
**********************************
quit
dot11 syslog
!
dot11 ssid my_network_PA
authentication open
authentication
key-management wpa
guest-mode
wpa-psk ascii 0 my_wifi_password
!
no ip source-route
!
!
ip dhcp excluded-address 192.168.250.1
192.168.250.10
!
ip dhcp pool vpa_dhcp
import all
network 192.168.250.0
255.255.255.0
dns-server
192.168.100.7 192.168.100.9
default-router
192.168.250.1
netbios-name-server
192.168.100.7
!
!
ip cef
no ip bootp server
no ip domain lookup
ip domain name my_network.com
ip name-server my_dns_server_ip_address
ip name-server my_dns_server_ip_address
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip inspect name SDM_LOW cuseeme
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username ********** privilege 15 secret 5
*****************
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key my-vpn-password address
hub_public_ip_address no-xauth
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set
ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map rtp 1 ipsec-isakmp
set peer hub_public_ip_address
set transform-set
ESP-3DES-SHA
match address 110
!
archive
log config
hidekeys
!
!
bridge irb
!
!
!
interface Dot11Radio0
no ip address
!
encryption mode ciphers aes-ccm
!
ssid my_network_PA
!
speed basic-1.0 basic-2.0
basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1
subscriber-loop-control
bridge-group 1
spanning-disabled
bridge-group 1
block-unknown-source
no bridge-group 1
source-learning
no bridge-group 1
unicast-flooding
!
interface Dot11Radio1
no ip address
!
encryption mode ciphers aes-ccm
!
ssid my_network_PA
!
speed basic-6.0 9.0
basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1
subscriber-loop-control
bridge-group 1
spanning-disabled
bridge-group 1
block-unknown-source
no bridge-group 1
source-learning
no bridge-group 1
unicast-flooding
!
interface FastEthernet0
description
$ETH-WAN$$FW_OUTSIDE$
ip address spoke_public_ipaddress 255.255.255.0
ip access-group 101 in
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
duplex auto
speed auto
crypto map rtp
!
interface FastEthernet1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
no ip address
bridge-group 1
!
interface Async1
no ip address
encapsulation slip
shutdown
!
interface BVI1
description $FW_INSIDE$
ip address 192.168.250.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
!
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 isp_gateway_ip_address
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source route-map NAT
interface FastEthernet0 overload
!
no logging trap
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark SDM_ACL Category=17
access-list 101 permit icmp any any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 permit tcp any any eq 1723
access-list 101 permit esp any any
access-list 101 permit udp any any eq isakmp
access-list 101 permit udp any any eq non500-isakmp
access-list 101 permit ahp any any
access-list 101 permit gre any any
access-list 101 permit tcp any any eq telnet
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
access-list 105 permit gre any any
access-list 105 permit tcp any any eq 1723
access-list 105 permit tcp any any eq telnet
access-list 105 permit esp any any
access-list 105 permit udp any any eq isakmp
access-list 105 permit udp any any eq non500-isakmp
access-list 105 permit ahp any any
access-list 110 remark SDM_ACL Category=20
access-list 110 permit ip 192.168.250.0
0.0.0.255 192.168.100.0 0.0.0.255
access-list 115 remark SDM_ACL Category=18
access-list 115 deny ip 192.168.250.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 115 permit ip 192.168.250.0
0.0.0.255 any
no cdp run
!
!
!
!
route-map NAT permit 10
match ip address 115
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
login local
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
end
Copyright © 2013 ProTechs-Online.com; All rights reserved.