This is an example of a running configuration for a 1811 IPSEC VPN hub.
!version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname main
!
boot-start-marker
boot-end-marker
!
logging buffered 52000 debugging
enable secret 5 ***************************
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
aaa session-id common
!
resource policy
!
clock timezone PCTime -6
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
!
!
no ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.100.241 192.168.100.254
ip dhcp excluded-address 192.168.100.1 192.168.100.211
!
ip dhcp pool Office
import all
network 192.168.100.0 255.255.255.0
default-router 192.168.100.254
dns-server 192.168.100.7 192.168.100.9
netbios-name-server 192.168.100.7
!
!
ip domain name my_network.biz
ip name-server my_dns_server_ip_address
ip name-server my_dns_server_ip_address
ip inspect name my_network-outbound ftp
ip inspect name my_network-outbound ftps
ip inspect name my_network-outbound cuseeme
ip inspect name my_network-outbound h323
ip inspect name my_network-outbound netshow
ip inspect name my_network-outbound rcmd
ip inspect name my_network-outbound realaudio
ip inspect name my_network-outbound rtsp
ip inspect name my_network-outbound sqlnet
ip inspect name my_network-outbound streamworks
ip inspect name my_network-outbound tftp
ip inspect name my_network-outbound vdolive
ip inspect name my_network-outbound udp
ip inspect name my_network-outbound tcp
ip inspect name my_network-outbound icmp
vpdn enable
!
!
appfw policy-name my_network-outbound
application http
!
!
crypto pki trustpoint TP-self-signed-1638628543
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1638628543
revocation-check none
rsakeypair TP-self-signed-1638628543
!
!
crypto pki certificate chain TP-self-signed-1638628543
certificate self-signed 01
**********************************
quit
username ********** privilege 15 secret 5 *****************
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 300
crypto isakmp key my-vpn-password address 0.0.0.0 0.0.0.0 no-xauth
crypto isakmp keepalive 10 periodic
crypto isakmp nat keepalive 30
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map rtpmap 10
set transform-set ESP-3DES-SHA
!
!
crypto map rtptrans 6500 ipsec-isakmp dynamic rtpmap
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.252
!
interface FastEthernet0
ip address hub_public_ip_address 255.255.255.252
ip access-group 105 in
ip nat outside
ip inspect my_network-outbound out
ip virtual-reassembly
speed 10
full-duplex
crypto map rtptrans
!
interface FastEthernet1
description adsl
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet2
shutdown
!
interface FastEthernet3
shutdown
!
interface FastEthernet4
shutdown
!
interface FastEthernet5
shutdown
!
interface FastEthernet6
shutdown
!
interface FastEthernet7
!
interface FastEthernet8
shutdown
!
interface FastEthernet9
shutdown
!
interface Vlan1
description Local Lan$FW_INSIDE$$ETH-SW-LAUNCH$$INTF-INFO-FE 2$
ip address 192.168.100.254 255.255.255.0
ip access-group 103 in
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
ip policy route-map bypassnat
!
interface Async1
no ip address
encapsulation slip
!
ip classless
ip route 0.0.0.0 0.0.0.0 isp_gateway_ip_address
!
ip flow-export destination 192.168.100.114 10002
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source list 2 interface FastEthernet0 overload
ip nat inside source static udp 192.168.100.114 10004 interface FastEthernet0 10004
ip nat inside source static udp 192.168.100.114 10003 interface FastEthernet0 10003
ip nat inside source static tcp 192.168.100.28 10003 interface FastEthernet0 10003
ip nat inside source static tcp 192.168.100.7 3101 interface FastEthernet0 3101
ip nat inside source static tcp 192.168.100.7 443 interface FastEthernet0 443
ip nat inside source static tcp 192.168.100.7 110 interface FastEthernet0 110
ip nat inside source static tcp 192.168.100.7 25 interface FastEthernet0 25
ip nat inside source static tcp 192.168.100.7 80 interface FastEthernet0 80
ip nat inside source static tcp 192.168.100.8 1723 interface FastEthernet0 1723
ip nat inside source route-map SDM_RMAP_2 interface FastEthernet0 overload
ip nat inside source static tcp 192.168.100.21 10002 interface FastEthernet0 10002
ip nat inside source static tcp 192.168.100.21 8000 interface FastEthernet0 8000
ip nat inside source static udp 192.168.100.114 10005 interface FastEthernet0 10005
!
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 192.168.100.0 0.0.0.255
access-list 103 remark SDM_ACL Category=1
access-list 103 remark Mazak LT lockout
access-list 103 deny tcp host 192.168.100.190 any eq www
access-list 103 remark Trumpf LT lockout
access-list 103 deny tcp host 192.168.100.123 any eq www
access-list 103 remark A-6 lockout
access-list 103 deny tcp host 192.168.100.113 any eq www
access-list 103 remark A-5 lockout
access-list 103 deny tcp host 192.168.100.106 any eq www
access-list 103 remark A-3 lockout
access-list 103 deny tcp host 192.168.100.186 any eq www
access-list 103 remark A-1 lockout
access-list 103 deny tcp host 192.168.100.102 any eq www
access-list 103 remark A-1 lockout
access-list 103 deny tcp host 192.168.100.198 any eq www
access-list 103 remark Lathe lockout
access-list 103 deny tcp host 192.168.100.197 any eq www
access-list 103 remark Lathe lockout
access-list 103 deny tcp host 192.168.100.196 any eq www
access-list 103 remark H-4 lockout
access-list 103 deny tcp host 192.168.100.195 any eq www
access-list 103 remark Lathe lockout
access-list 103 deny tcp host 192.168.100.194 any eq www
access-list 103 remark Larry LT lockout
access-list 103 deny tcp host 192.168.100.154 any eq www
access-list 103 remark Mazak Lockout
access-list 103 deny tcp host 192.168.100.149 any eq www
access-list 103 remark Sergei Lockout
access-list 103 deny tcp host 192.168.100.122 any eq www
access-list 103 remark Florida Network
access-list 103 permit ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255
access-list 103 remark Teulon Network
access-list 103 permit ip 192.168.100.0 0.0.0.255 192.168.150.0 0.0.0.255
access-list 103 permit tcp 192.168.100.0 0.0.0.255 any eq smtp
access-list 103 permit tcp host 192.168.100.8 any eq 1723
access-list 103 deny ip host 255.255.255.255 any
access-list 103 deny ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip any any
access-list 105 remark SDM_ACL Category=1
access-list 105 remark PA NetFlow
access-list 105 permit udp any any eq 10005
access-list 105 remark Florida NetFlow
access-list 105 permit udp any any eq 10004
access-list 105 remark Tuelon NetFlow
access-list 105 permit udp any any eq 10003
access-list 105 remark Laser Camera
access-list 105 permit tcp any any eq 10003
access-list 105 permit tcp any any eq telnet
access-list 105 permit esp any any
access-list 105 permit udp any any eq isakmp
access-list 105 permit udp any any eq non500-isakmp
access-list 105 permit ahp any any
access-list 105 remark BB Server Pro
access-list 105 permit tcp any any eq 3101
access-list 105 permit tcp any any eq 443
access-list 105 permit tcp any any eq www
access-list 105 remark Arborg DVR
access-list 105 permit tcp any any eq 10002
access-list 105 remark Arborg DVR
access-list 105 permit tcp any any eq 8000
access-list 105 permit gre any any
access-list 105 permit tcp any any eq 1723
access-list 105 permit tcp any any eq pop3
access-list 105 permit tcp host 69.20.58.226 any eq smtp
access-list 105 permit tcp host 74.205.4.52 any eq smtp
access-list 105 permit tcp host 207.97.229.125 any eq smtp
access-list 105 permit tcp host 72.32.252.16 any eq smtp
access-list 105 permit tcp host 207.97.230.34 any eq smtp
access-list 105 permit tcp host 72.32.253.10 any eq smtp
access-list 105 permit tcp host 207.97.230.54 any eq smtp
access-list 105 permit tcp host 72.32.252.97 any eq smtp
access-list 105 permit tcp host 69.20.58.234 any eq smtp
access-list 105 permit tcp host 120.136.38.138 any eq smtp
access-list 105 permit tcp host 207.97.242.51 any eq smtp
access-list 105 permit tcp host 72.32.252.76 any eq smtp
access-list 105 permit tcp host 207.97.224.142 any eq smtp
access-list 105 permit tcp host 72.32.253.39 any eq smtp
access-list 105 permit tcp host 69.20.68.133 any eq smtp
access-list 105 permit tcp host 92.52.89.74 any eq smtp
access-list 105 permit tcp host 69.20.60.122 any eq smtp
access-list 105 deny tcp any eq smtp any
access-list 105 permit icmp any any
access-list 105 permit icmp any any time-exceeded
access-list 105 permit icmp any any unreachable
access-list 105 deny ip 127.0.0.0 0.255.255.255 any
access-list 105 deny ip host 255.255.255.255 any
access-list 105 deny ip host 0.0.0.0 any
access-list 105 deny ip any any
access-list 106 remark SDM_ACL Category=2
access-list 106 deny ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255
access-list 106 deny ip 192.168.100.0 0.0.0.255 192.168.150.0 0.0.0.255
access-list 106 deny ip 192.168.100.0 0.0.0.255 192.168.250.0 0.0.0.255
access-list 106 permit ip 192.168.100.0 0.0.0.255 any
access-list 115 permit ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255
access-list 115 permit ip 192.168.100.0 0.0.0.255 192.168.150.0 0.0.0.255
access-list 115 permit ip 192.168.100.0 0.0.0.255 192.168.250.0 0.0.0.255
no cdp run
!
route-map SDM_RMAP_2 permit 1
match ip address 106
!
route-map bypassnat permit 10
match ip address 115
set ip next-hop 1.1.1.2
!
!
!
!
control-plane
!
banner login _
-----------------------------------------------------------------------
My Banner.
-----------------------------------------------------------------------
_
!
line con 0
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
transport input telnet ssh
line vty 5 15
transport input telnet ssh
!
no scheduler allocate
end