ProTech's home page

ProTech-Online.com

This is an example of a running configuration for a 19211 IPSEC VPN hub with two isp internet connections and NAT failover.

!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Metatron
!
boot-start-marker
boot-end-marker
!
!
no logging console
enable secret 4 ***************************
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
!
no process cpu extended history
no process cpu autoprofile hog
clock timezone CST -6 0
!
no ipv6 cef
no ip source-route
ip cef
!
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.100.241 192.168.100.254
ip dhcp excluded-address 192.168.100.1 192.168.100.211
ip dhcp excluded-address 192.168.160.1 192.168.160.50
!
ip dhcp pool Office
 network 192.168.100.0 255.255.255.0
 default-router 192.168.100.254
 netbios-name-server 192.168.100.7
 dns-server 192.168.100.7 192.168.100.9
!
ip dhcp pool ISP2
 network 192.168.160.0 255.255.255.0
 default-router 192.168.160.1
 netbios-name-server 192.168.100.7
 dns-server 192.168.100.7 192.168.100.9
!
ip dhcp pool v036
 host 192.168.160.31 255.255.255.0
 client-identifier 01e0.6995.3ed4.15
 default-router 192.168.160.1
 netbios-name-server 192.168.100.7
 dns-server 192.168.100.7 192.168.100.9
!
ip dhcp pool v094
 host 192.168.160.32 255.255.255.0
 client-identifier 0100.1a6b.6b28.12
 default-router 192.168.160.1
 netbios-name-server 192.168.100.7
 dns-server 192.168.100.7 192.168.100.9
!
!
ip domain name my_network.biz
ip name-server my_dns_server_ip_address
ip name-server my_dns_server_ip_address
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-1638628543
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1638628543
 revocation-check none
 rsakeypair TP-self-signed-1638628543
!
!
crypto pki certificate chain TP-self-signed-1638628543
 certificate self-signed 01
 **********************************
     quit
license udi pid CISCO1921/K9 sn FGL163725MM
license boot module c1900 technology-package securityk9
license boot module c1900 technology-package datak9
!
!
username ********** privilege 15 secret 4 *****************
!
redundancy
!
!
!
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
 lifetime 300
crypto isakmp key my-vpn-password address 0.0.0.0 0.0.0.0 no-xauth
crypto isakmp keepalive 10 periodic
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map rtpmap 10
 set transform-set ESP-3DES-SHA
!
!
crypto map rtptrans 6500 ipsec-isakmp dynamic rtpmap
!
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
 no cdp enable
!
interface GigabitEthernet0/0
 ip address hub_public_ip_address_isp1 255.255.255.252
 ip nat outside
 ip virtual-reassembly in
 duplex full
 speed 10
 rj45-auto-detect-polarity disable
 no cdp enable
 crypto map rtptrans
!
interface GigabitEthernet0/1
 ip address hub_public_ip_address_isp2 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 no cdp enable
 no mop enabled
!
interface GigabitEthernet0/0/0
 switchport mode trunk
 no ip address
 no cdp enable
!
interface GigabitEthernet0/0/1
 switchport mode trunk
 no ip address
 no cdp enable
!
interface GigabitEthernet0/0/2
 no ip address
 shutdown
 no cdp enable
!
interface GigabitEthernet0/0/3
 no ip address
 shutdown
 no cdp enable
!
interface Vlan1
 ip address 192.168.100.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip route-cache policy
 ip policy route-map ip-switch-main
!
interface Vlan2
 ip address 192.168.160.1 255.255.255.0
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly in
 ip route-cache policy
 ip policy route-map ip-switch
!
no ip classless
no ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip flow-export destination 192.168.160.20 10002
!
ip nat inside source route-map gig0-nat interface GigabitEthernet0/0 overload
ip nat inside source route-map gig1-nat interface GigabitEthernet0/1 overload
ip nat inside source static tcp 192.168.100.38 25 hub_public_ip_address_isp2 25 extendable
ip nat inside source static tcp 192.168.100.7 80 hub_public_ip_address_isp2 80 extendable
ip nat inside source static tcp 192.168.100.38 443 hub_public_ip_address_isp2 443 extendable
ip nat inside source static tcp 192.168.100.8 1723 hub_public_ip_address_isp2 1723 extendable
ip nat inside source static tcp 192.168.100.7 3101 hub_public_ip_address_isp2 3101 extendable
ip nat inside source static tcp 192.168.100.38 25 hub_public_ip_address_isp1 25 extendable
ip nat inside source static tcp 192.168.100.7 80 hub_public_ip_address_isp1 80 extendable
ip nat inside source static tcp 192.168.100.38 443 hub_public_ip_address_isp1 443 extendable
ip nat inside source static tcp 192.168.100.8 1723 hub_public_ip_address_isp1 1723 extendable
ip nat inside source static tcp 192.168.100.7 3101 hub_public_ip_address_isp1 3101 extendable
ip route 0.0.0.0 0.0.0.0 isp_gateway_ip_address
!
access-list 110 deny   ip 192.168.100.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 110 deny   ip 192.168.160.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 110 deny   ip host 192.168.160.31 any
access-list 110 deny   ip host 192.168.160.32 any
access-list 110 permit ip 192.168.100.0 0.0.0.255 any
access-list 110 permit ip 192.168.160.0 0.0.0.255 any
access-list 130 deny   ip 192.168.160.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 130 deny   ip 192.168.160.0 0.0.0.255 192.168.200.0 0.0.0.255
access-list 130 deny   ip 192.168.160.0 0.0.0.255 192.168.150.0 0.0.0.255
access-list 130 deny   ip 192.168.160.0 0.0.0.255 192.168.250.0 0.0.0.255
access-list 130 deny   ip 192.168.100.0 0.0.0.255 192.168.160.0 0.0.0.255
access-list 130 deny   ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255
access-list 130 deny   ip 192.168.100.0 0.0.0.255 192.168.150.0 0.0.0.255
access-list 130 deny   ip 192.168.100.0 0.0.0.255 192.168.250.0 0.0.0.255
access-list 130 permit ip 192.168.160.0 0.0.0.255 any
access-list 130 permit ip 192.168.100.0 0.0.0.255 any
!
no cdp run
arp 192.168.100.38 03bf.c0a8.1626 ARPA
!
!
!
route-map ip-switch-main permit 10
 match ip address 130
 set ip next-hop isp_gateway_ip_address_isp1
 set ip next-hop recursive isp_gateway_ip_address_isp2
!
route-map gig1-nat permit 10
 match ip address 110
 match interface GigabitEthernet0/1
!
route-map gig0-nat permit 10
 match ip address 110
 match interface GigabitEthernet0/0
!
route-map ip-switch permit 10
 match ip address 130
 set ip next-hop isp_gateway_ip_address_isp2
 set ip next-hop recursive isp_gateway_ip_address_isp1
!
!
!
!
!
control-plane
!
!
banner login _C
-----------------------------------------------------------------------
My Banner.
-----------------------------------------------------------------------
_
!
line con 0
 exec-timeout 0 0
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 transport input ssh
!
no scheduler allocate
end


Copyright © 2013 ProTechs-Online.com; All rights reserved.