SR520 -> UC520 VPN - Banging my head

Unanswered Question

I had a VPN tunnel working on another SR520 and UC520.  I copied most of the vpn parts of the configs over the new set of equipment.  It does not work.  I am trying to plug a phone into the SR520.  It just says registering.  The phone is setup on the UC520.  I have attached the configs for both.


Thanks to anyone that can help.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Steven DiStefano Thu, 03/26/2009 - 05:57
User Badges:
  • Blue, 1500 points or more

On the SR520, shouldn't the FE4 be IP Nat Outside and VLAN1 be IP NAT Inside?

Steven DiStefano Thu, 03/26/2009 - 09:17
User Badges:
  • Blue, 1500 points or more

1- show crypto session detail


2- show access-lists <--- look for the counters beside the ACL

Steven DiStefano Mon, 03/30/2009 - 06:00
User Badges:
  • Blue, 1500 points or more

Looks like it would.

But I use CCA.

Here is the sh run on a working SR520 used as remote teleworker on a UC500 in my office.

SR520#sh run
Building configuration...

Current configuration : 9579 bytes
!
version 12.4
no service  pad
service timestamps debug datetime msec
service timestamps log datetime  msec
no service password-encryption
!
hostname  SR520
!
boot-start-marker
boot-end-marker
!
logging  message-counter syslog
enable secret 5  $1$KZJQ$m1zQvaX2XMdFr662TCoZG1
!
no aaa new-model
!
crypto pki  trustpoint TP-self-signed-2237612140
enrollment selfsigned
subject-name  cn=IOS-Self-Signed-Certificate-2237612140
revocation-check  none
rsakeypair TP-self-signed-2237612140
!        
!
crypto pki  certificate chain TP-self-signed-2237612140
certificate self-signed 01
   3082023D 308201A6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
   31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
   69666963 6174652D 32323337 36313231 3430301E 170D3032 30333033 32323535
   32305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
   4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 32333736
   31323134 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
   8100A574 0378F66F 9C61787F 62C6F635 7E46C77D BD64E85B 09139146 C6BA01AE
   F6531B9E BF124722 DAD7DEA7 CBDEA47C EB7DABED 2C407ED2 3704F81C EBF8FA45
   67EF5EB1 F084EBD4 6EE6E46E 3D78A05C 9537F37B B35EFFB0 C44BAE16 5465EC47
   BC280A91 E66D67E3 D052AB00 2B7BB537 C079E4FD BBA78934 D34B0A2A 2BE80008
   99490203 010001A3 65306330 0F060355 1D130101 FF040530 030101FF 30100603
   551D1104 09300782 05535235 3230301F 0603551D 23041830 168014BF 91C07D31
   892ABF63 DDDD22F5 F14AA8AA 62E02D30 1D060355 1D0E0416 0414BF91 C07D3189
   2ABF63DD DD22F5F1 4AA8AA62 E02D300D 06092A86 4886F70D 01010405 00038181
   006099EA 1645B595 351C6C50 35771FC9 F6FF43AA 0ED84653 B723B582 6969DA0B
   C7C59798 461E891C 06ED875D 2FCC10B5 50F8383A A40E121D 8B9B02F4 AFBC2082
   5159D29C 65D6312C CEC42B38 C70E59AC 027996CD 49624106 6A9C3B36 452CB480
   17773608 8B19556F AEA4C8B7 0100EEE2 E40F8D1E 47B165B8 0FFCB0A7 B0E977D4  AF
        quit
dot11 syslog
!        
dot11 ssid sr520
   vlan  75
   authentication open
!
ip source-route
!
!
ip dhcp  excluded-address 192.168.75.1 192.168.75.10
!
ip dhcp pool inside
    import all
   network 192.168.75.0 255.255.255.0
   default-router  192.168.75.1
   dns-server 64.102.6.247
   option 150 ip 10.1.1.1 
!
!
ip cef
ip port-map user-ezvpn-remote port udp 10000
!
no  ipv6 cef
multilink bundle-name authenticated
!
!        
username  cisco privilege 15 secret 5 $1$IuNh$2cNi97/Tb/5LarNjkkzn.1

!
!
!
!
!
crypto ipsec client ezvpn  EZVPN_REMOTE_CONNECTION_1
connect auto
group EZVPN_GROUP_1 key  cisco123
mode client
peer 64.102.88.173
virtual-interface  1
xauth userid mode http-intercept
!
!
archive
log config
   hidekeys
!
!
!
class-map type inspect match-any SDM_AH
match  access-group name SDM_AH
class-map type inspect match-any  SDM-Voice-permit
match protocol h323
match protocol skinny
match  protocol sip
class-map type inspect match-any SDM_ESP
match access-group  name SDM_ESP
class-map type inspect match-any  SDM_EASY_VPN_REMOTE_TRAFFIC
match protocol isakmp
match protocol  ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
match  protocol user-ezvpn-remote
class-map type inspect match-all  SDM_EASY_VPN_REMOTE_PT
match class-map SDM_EASY_VPN_REMOTE_TRAFFIC
match  access-group 101
class-map type inspect match-any  Easy_VPN_Remote_VT
match access-group 102
class-map type inspect  match-any sdm-cls-icmp-access
match protocol icmp
match protocol  tcp
match protocol udp
class-map type inspect match-any  sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match  protocol ftp
match protocol h323
match protocol https
match protocol  icmp
match protocol imap
match protocol pop3
match protocol  netshow
match protocol shell
match protocol realmedia
match protocol  rtsp
match protocol smtp extended
match protocol sql-net
match  protocol streamworks
match protocol tftp
match protocol  vdolive
match protocol tcp
match protocol udp
class-map type inspect  match-all sdm-nat-h323-1
match access-group 103
match protocol  h323
class-map type inspect match-all sdm-invalid-src
match access-group  100
class-map type inspect match-all dhcp_out_self
match access-group  name dhcp-resp-permit
class-map type inspect match-all  dhcp_self_out
match access-group name dhcp-req-permit
class-map type  inspect match-all sdm-nat-sip-2
match access-group 102
match protocol  sip
class-map type inspect match-all sdm-protocol-http
match protocol  http
class-map type inspect match-all sdm-nat-sip-1
match access-group  101
match protocol sip
!
!
policy-map type inspect  sdm-permit-icmpreply
class type inspect dhcp_self_out
  pass
class  type inspect sdm-cls-icmp-access
  inspect
class class-default
   pass
policy-map type inspect sdm-permit_VT
class type inspect  Easy_VPN_Remote_VT
  pass
class class-default
  drop   
policy-map  type inspect sdm-inspect
class type inspect sdm-cls-insp-traffic
   inspect
class type inspect SDM-Voice-permit
  pass
class type  inspect sdm-invalid-src
  drop log
class type inspect  sdm-protocol-http
  inspect
class class-default
  drop
policy-map  type inspect sdm-inspect-voip-in
class type inspect SDM-Voice-permit
   pass
class type inspect sdm-nat-sip-1
  pass
class type inspect  sdm-nat-sip-2
  pass
class type inspect sdm-nat-h323-1
   pass
class class-default
  drop
policy-map type inspect  sdm-permit
class type inspect SDM_EASY_VPN_REMOTE_PT
  pass
class  type inspect dhcp_out_self
  pass
class class-default
   drop
!
zone security out-zone
zone security in-zone
zone security  ezvpn-zone
zone-pair security sdm-zp-self-out source self destination  out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair  security sdm-zp-out-in source out-zone destination in-zone
service-policy  type inspect sdm-inspect-voip-in
zone-pair security sdm-zp-out-self source  out-zone destination self
service-policy type inspect  sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination  out-zone
service-policy type inspect sdm-inspect
zone-pair security  sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
service-policy type  inspect sdm-permit_VT
zone-pair security sdm-zp-out-ezpn1 source out-zone  destination ezvpn-zone
service-policy type inspect  sdm-permit_VT
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone  destination out-zone
service-policy type inspect sdm-permit_VT
zone-pair  security sdm-zp-ezvpn-in1 source ezvpn-zone destination  in-zone
service-policy type inspect sdm-permit_VT
!
bridge  irb
!
!
interface FastEthernet0
switchport access vlan  75
!
interface FastEthernet1
switchport access vlan  75
!
interface FastEthernet2
switchport access vlan  75
!
interface FastEthernet3
switchport access vlan  75
!
interface FastEthernet4
description $FW_OUTSIDE$
ip address  64.102.88.184 255.255.255.0
ip nat outside
ip  virtual-reassembly
zone-member security out-zone
duplex auto
speed  auto
crypto ipsec client ezvpn EZVPN_REMOTE_CONNECTION_1
!
interface  Virtual-Template1 type tunnel
no ip address
zone-member security  ezvpn-zone
tunnel mode ipsec ipv4
!
interface Dot11Radio0
no ip  address
!
ssid sr520
!
speed basic-1.0 basic-2.0 basic-5.5 6.0  9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role  root
!
interface Dot11Radio0.75
encapsulation dot1Q 75  native
bridge-group 75
bridge-group 75  subscriber-loop-control
bridge-group 75 spanning-disabled
bridge-group  75 block-unknown-source
no bridge-group 75 source-learning
no  bridge-group 75 unicast-flooding
!
interface Vlan1
no ip  address
bridge-group 1
!
interface Vlan75
no ip  address
bridge-group 75
bridge-group 75  spanning-disabled
!
interface BVI75
description $FW_INSIDE$
ip  address 192.168.75.1 255.255.255.0
ip nat inside
ip  virtual-reassembly
zone-member security in-zone
crypto ipsec client  ezvpn EZVPN_REMOTE_CONNECTION_1 inside
!
interface BVI1
no ip  address
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet4  2
!
ip http server
ip http authentication local
ip http  secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip  nat inside source list 1 interface FastEthernet4 overload
!
ip access-list  extended SDM_AH
remark SDM_ACL Category=1
permit ahp any any
ip  access-list extended SDM_ESP
remark SDM_ACL Category=1
permit esp any  any
ip access-list extended dhcp-req-permit
remark SDM_ACL  Category=1
permit udp any eq bootpc any eq bootps
ip access-list extended  dhcp-resp-permit
remark SDM_ACL Category=1
permit udp any eq bootps any  eq bootpc
!
access-list 1 remark SDM_ACL Category=2
access-list 1  permit 192.168.75.0 0.0.0.255
access-list 1 permit 192.168.10.0  0.0.0.255
access-list 1 permit 10.1.1.0 0.0.0.255
access-list 1 permit  10.1.10.0 0.0.0.255
access-list 100 remark SDM_ACL  Category=128
access-list 100 permit ip host 255.255.255.255  any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100  permit ip 64.102.88.0 0.0.0.255 any
access-list 101 remark SDM_ACL  Category=0
access-list 101 permit ip any host 192.168.75.2
access-list 101  remark SDM_ACL Category=128
access-list 101 permit ip host 64.102.88.173  any
access-list 102 remark SDM_ACL Category=0
access-list 102 permit ip  any host 192.168.75.2
access-list 102 remark SDM_ACL  Category=1
access-list 102 permit ip any any
access-list 103 remark  SDM_ACL Category=0
access-list 103 permit ip any host  192.168.75.2
!
!
!
!
!
control-plane
!
bridge 1 protocol  ieee
bridge 1 route ip
bridge 75 route ip
banner login ^CSR520 Base  Config - MFG 1.0 ^C
!
line con 0
login local
no modem  enable
line aux 0
line vty 0 4
privilege level 15
login  local
transport input telnet ssh
!
scheduler max-task-time  5000
end

Steven DiStefano Mon, 03/30/2009 - 08:57
User Badges:
  • Blue, 1500 points or more

sure...


sbcs-48U#sh run
Building configuration...


Current configuration : 39285 bytes
!
! Last configuration change  at 15:34:15 PST Wed Mar 18 2009 by cisco
! NVRAM config last updated at  08:28:42 PST Wed Mar 11 2009 by cisco
!
version 12.4
parser config  cache interface
no service pad
service timestamps debug datetime  msec
service timestamps log datetime msec
no service  password-encryption
service internal
service  compress-config
!
hostname  sbcs-48U
!
boot-start-marker
boot-end-marker
!
logging  message-counter syslog
enable secret 5  $1$9NKA$ctuO5k76h5.MfpwOT44zT.
!
aaa new-model
!        
!         
aaa authentication login default local
aaa authentication login  Foxtrot_sdm_easyvpn_xauth_ml_1 local
aaa authorization exec default local 
aaa authorization network Foxtrot_sdm_easyvpn_group_ml_1 local 
!
!
aaa session-id common
clock timezone PST -8
clock  summer-time PST recurring
!
crypto pki trustpoint  TP-self-signed-3798541801
enrollment selfsigned
subject-name  cn=IOS-Self-Signed-Certificate-3798541801
revocation-check  none
rsakeypair TP-self-signed-3798541801
!
!
crypto pki  certificate chain TP-self-signed-3798541801
certificate self-signed 01
   3082023D 308201A6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
   31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
   69666963 6174652D 33373938 35343138 3031301E 170D3039 30333130 31363433
   31315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
   4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 37393835
   34313830 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
   8100AF2C 49896D4B 59DC182F B0A72A87 7A2D27C8 0003BDC7 07CB910D 15FB34DE
   B603E7FB 28247D5B 94C8313F 000B9AC6 4066DFE0 E3BD0C96 F526E064 F43F274E
   529F4D05 1A2A2587 AE8A28A2 AF24BF78 6120BE25 BAB3B222 A9C1EF3C CF49099F
   DA489AAE D68C2F0F 7D4B8572 CA5A23C8 C3F2B1F8 57242F5C 265D24B8 ED55D778
   0EFB0203 010001A3 65306330 0F060355 1D130101 FF040530 030101FF 30100603
   551D1104 09300782 05554335 3230301F 0603551D 23041830 168014AE 21B7EABC
   E04263F3 622BDFF1 88F1A4A5 125F9930 1D060355 1D0E0416 0414AE21 B7EABCE0
   4263F362 2BDFF188 F1A4A512 5F99300D 06092A86 4886F70D 01010405 00038181
   007E4AF4 9781D726 BBE4B4D2 D3B98FB0 335B7868 EB463D3E C4F15E6D 9CDA9314
   AC98D61D 50F2395C C9665837 9C257386 4A5D01BC EEBD338A 01280261 A8D74A79
   4A24141A 09828B77 B2C3BB27 0FF2931D 67634FA6 92820CF9 5393F42F DBF713C4
   8BE94DF5 317DF2C9 F0F3A4D4 219139AC 9B8113E7 EA3C2724 CA4A332D 0D191A5B  9F
        quit
dot11 syslog
ip source-route
ip cef
!
!
ip  dhcp relay information trust-all
ip dhcp excluded-address 10.1.1.1  10.1.1.10
ip dhcp excluded-address 192.168.10.1 192.168.10.10
!
ip dhcp  pool phone
   network 10.1.1.0 255.255.255.0
   default-router 10.1.1.1 
   option 150 ip 10.1.1.1
!
ip dhcp pool data
   import all
    network 192.168.10.0 255.255.255.0
   default-router 192.168.10.1
    dns-server 64.102.6.247
!
!
ip name-server 64.102.6.247
ip inspect  name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW  ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip  inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name  SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW  rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip  inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name  SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW  tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
!
no  ipv6 cef
!
stcapp ccm-group 1
stcapp
!
stcapp feature  access-code
!
multilink bundle-name authenticated
!
!
trunk  group  ALL_FXO
!
!
voice call send-alert
voice rtp  send-recv
!
voice service voip
allow-connections h323 to  h323
allow-connections h323 to sip
allow-connections sip to  h323
allow-connections sip to sip
supplementary-service  h450.12
sip
  no update-callerid
!
!
voice class codec  1
codec preference 1 g711ulaw
codec preference 2  g729r8
!
!
!
!
!
!
!
!
!
!
!
voice  hunt-group 1 parallel
final 400
list 201,202,203,204,205
timeout 16 
pilot 505
!
!
!
voice translation-rule 1111
!
voice  translation-rule 1112
rule 1 /^9/ //
!
voice translation-rule  2001
!
voice translation-rule 2222
rule 1 /^91900......./ //
rule  2 /^91976......./ //
!
!
voice translation-profile  CALLER_ID_TRANSLATION_PROFILE
translate calling 1111
!
voice  translation-profile CallBlocking
translate called 2222
!         
voice translation-profile OUTGOING_TRANSLATION_PROFILE
translate calling  1111
translate called 1112
!
!
voice-card 0
no  dspfarm
!
!
!
username cisco privilege 15 secret 5  $1$VXm.$Z9dCqAQBcpi2qCnr0HKHi1
username remuser secret 5  $1$TDzM$R5lxPNmJCRSIKsAh94maw.
!
!
crypto isakmp policy 1
encr  3des
authentication pre-share
group 2
!
crypto isakmp client  configuration group EZVPN_GROUP_1
key cisco123
dns 64.102.6.247
pool  SDM_POOL_1
acl 105 
max-users 10
crypto isakmp profile  sdm-ike-profile-1
   match identity group EZVPN_GROUP_1
   client  authentication list Foxtrot_sdm_easyvpn_xauth_ml_1
   isakmp authorization  list Foxtrot_sdm_easyvpn_group_ml_1
   client configuration address  respond
   virtual-template 1
!
!
crypto ipsec transform-set  ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile  SDM_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile  sdm-ike-profile-1
!
!
archive
log config
  logging enable
   logging size 600
  hidekeys
!
!
ip tftp source-interface  Loopback0
!
!
!
interface Loopback0
description  $FW_INSIDE$
ip address 10.1.10.2 255.255.255.252
ip access-group 101  in
ip nat inside
ip virtual-reassembly
!
interface  FastEthernet0/0
description $FW_OUTSIDE$
ip address 64.102.88.173  255.255.255.0
ip access-group 104 in
ip verify unicast  reverse-path
ip nat outside
ip inspect SDM_LOW out
ip  virtual-reassembly
duplex auto
speed auto
!
interface  Integrated-Service-Engine0/0
description cue is initialized with default  IMAP group
ip unnumbered Loopback0
ip nat inside
ip  virtual-reassembly
service-module ip address 10.1.10.1  255.255.255.252
service-module ip default-gateway  10.1.10.2
!
interface FastEthernet0/1/0
switchport voice vlan  100
macro description cisco-phone
spanning-tree  portfast
!
interface FastEthernet0/1/1
switchport voice vlan  100
macro description cisco-phone
spanning-tree  portfast
!
interface FastEthernet0/1/2
switchport voice vlan  100
macro description cisco-phone
spanning-tree  portfast
!
interface FastEthernet0/1/3
switchport voice vlan  100
macro description cisco-phone
spanning-tree  portfast
!
interface FastEthernet0/1/4
switchport voice vlan  100
macro description cisco-phone
spanning-tree  portfast
!
interface FastEthernet0/1/5
switchport voice vlan  100
macro description cisco-phone
spanning-tree  portfast
!
interface FastEthernet0/1/6
switchport voice vlan  100
macro description cisco-phone
spanning-tree  portfast
!
interface FastEthernet0/1/7
switchport voice vlan  100
macro description cisco-phone
spanning-tree  portfast
!
interface FastEthernet0/1/8
switchport mode trunk
macro  description cisco-switch
!
interface Virtual-Template1 type tunnel
ip  unnumbered Vlan1
tunnel mode ipsec ipv4
tunnel protection ipsec profile  SDM_Profile1
!
interface Vlan1
description $FW_INSIDE$
ip address  192.168.10.1 255.255.255.0
ip access-group 102 in
ip nat inside
ip  virtual-reassembly
!
interface Vlan100
description $FW_INSIDE$
ip  address 10.1.1.1 255.255.255.0
ip access-group 103 in
ip nat  inside
ip virtual-reassembly
!
ip local pool SDM_POOL_1 192.168.10.101  192.168.10.109
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0  64.102.88.1
ip route 10.1.10.1 255.255.255.255  Integrated-Service-Engine0/0
!
ip http server
ip http authentication  local
ip http secure-server
ip http path flash:/gui
ip nat inside  source list 1 interface FastEthernet0/0 overload
!
access-list 1 remark  SDM_ACL Category=2
access-list 1 permit 10.1.1.0 0.0.0.255
access-list 1  permit 192.168.10.0 0.0.0.255
access-list 1 permit 10.1.10.0  0.0.0.3
access-list 100 remark auto generated by SDM firewall  configuration
access-list 100 remark SDM_ACL Category=1
access-list 100  deny   ip 192.168.10.0 0.0.0.255 any
access-list 100 deny   ip host  255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255  any
access-list 100 permit ip any any
access-list 101 remark auto  generated by SDM firewall configuration##NO_ACES_8##
access-list 101 remark  SDM_ACL Category=1
access-list 101 permit udp any host 10.1.10.2 eq  non500-isakmp
access-list 101 permit udp any host 10.1.10.2 eq  isakmp
access-list 101 permit esp any host 10.1.10.2
access-list 101  permit ahp any host 10.1.10.2
access-list 101 permit tcp 10.1.1.0 0.0.0.255  eq 2000 any
access-list 101 permit udp 10.1.1.0 0.0.0.255 eq 2000  any
access-list 101 deny   ip 192.168.10.0 0.0.0.255 any
access-list 101  deny   ip 64.102.88.0 0.0.0.255 any
access-list 101 deny   ip 10.1.1.0  0.0.0.255 any
access-list 101 deny   ip host 255.255.255.255  any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101  permit ip any any
access-list 102 remark auto generated by SDM firewall  configuration##NO_ACES_6##
access-list 102 remark SDM_ACL  Category=1
access-list 102 permit udp any host 192.168.10.1 eq  non500-isakmp
access-list 102 permit udp any host 192.168.10.1 eq  isakmp
access-list 102 permit esp any host 192.168.10.1
access-list 102  permit ahp any host 192.168.10.1
access-list 102 deny   ip 10.1.10.0 0.0.0.3  any
access-list 102 deny   ip 64.102.88.0 0.0.0.255 any
access-list 102  deny   ip 10.1.1.0 0.0.0.255 any
access-list 102 deny   ip host  255.255.255.255 any
access-list 102 deny   ip 127.0.0.0 0.255.255.255  any
access-list 102 permit ip any any
access-list 103 remark auto  generated by SDM firewall configuration##NO_ACES_8##
access-list 103 remark  SDM_ACL Category=1
access-list 103 permit udp any host 10.1.1.1 eq  non500-isakmp
access-list 103 permit udp any host 10.1.1.1 eq  isakmp
access-list 103 permit esp any host 10.1.1.1
access-list 103 permit  ahp any host 10.1.1.1
access-list 103 permit tcp 10.1.10.0 0.0.0.3 any eq  2000
access-list 103 permit udp 10.1.10.0 0.0.0.3 any eq 2000
access-list  103 deny   ip 10.1.10.0 0.0.0.3 any
access-list 103 deny   ip 192.168.10.0  0.0.0.255 any
access-list 103 deny   ip 64.102.88.0 0.0.0.255  any
access-list 103 deny   ip host 255.255.255.255 any
access-list 103  deny   ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip any  any
access-list 104 remark auto generated by SDM firewall  configuration##NO_ACES_14##
access-list 104 remark SDM_ACL  Category=1
access-list 104 permit udp any host 64.102.88.173 eq  non500-isakmp
access-list 104 permit udp any host 64.102.88.173 eq  isakmp
access-list 104 permit esp any host 64.102.88.173
access-list 104  permit ahp any host 64.102.88.173
access-list 104 deny   ip 10.1.10.0 0.0.0.3  any
access-list 104 deny   ip 192.168.10.0 0.0.0.255 any
access-list 104  deny   ip 10.1.1.0 0.0.0.255 any
access-list 104 permit udp host 64.102.6.247  eq domain any
access-list 104 permit icmp any host 64.102.88.173  echo-reply
access-list 104 permit icmp any host 64.102.88.173  time-exceeded
access-list 104 permit icmp any host 64.102.88.173  unreachable
access-list 104 deny   ip 10.0.0.0 0.255.255.255  any
access-list 104 deny   ip 172.16.0.0 0.15.255.255 any
access-list 104  deny   ip 192.168.0.0 0.0.255.255 any
access-list 104 deny   ip 127.0.0.0  0.255.255.255 any
access-list 104 deny   ip host 255.255.255.255  any
access-list 104 deny   ip host 0.0.0.0 any
access-list 104 deny   ip  any any log
access-list 105 remark SDM_ACL Category=4
access-list 105  permit ip 192.168.10.0 0.0.0.255 any
access-list 105 permit ip 10.1.1.0  0.0.0.255 any
access-list 105 permit ip 10.1.10.0 0.0.0.255  any
snmp-server community public RO
!

Actions

This Discussion