! version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname Cisco1841 ! boot-start-marker boot-end-marker ! security authentication failure rate 3 log security passwords min-length 6 logging buffered 51200 errors logging console critical enable secret 5 $1$yMsE$cGLkuxCcvBSqve3lHRXtK/ ! aaa new-model ! ! aaa authentication login default local aaa authentication login sdm_vpn_xauth_ml_1 local aaa authorization exec default local aaa authorization network sdm_vpn_group_ml_1 local ! aaa session-id common ! resource policy ! clock timezone Cairo 2 clock summer-time Cairo date Apr 25 2003 12:00 Sep 26 2003 12:00 mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 ip subnet-zero no ip source-route ip cef ! ! ip tcp synwait-time 10 ! ! no ip bootp server ip domain name iam.loc ip name-server 192.168.100.10 ip name-server 192.168.100.11 ip ssh time-out 60 ip ssh authentication-retries 2 ip inspect name DEFAULT100 cuseeme ip inspect name DEFAULT100 ftp ip inspect name DEFAULT100 h323 ip inspect name DEFAULT100 icmp ip inspect name DEFAULT100 netshow ip inspect name DEFAULT100 rcmd ip inspect name DEFAULT100 realaudio ip inspect name DEFAULT100 rtsp ip inspect name DEFAULT100 sqlnet ip inspect name DEFAULT100 streamworks ip inspect name DEFAULT100 tftp ip inspect name DEFAULT100 tcp ip inspect name DEFAULT100 udp ip inspect name DEFAULT100 vdolive ip ips sdf location flash://128MB.sdf autosave ip ips notify SDEE ip ips name sdm_ips_rule ! ! ! ! ! ! ! ! ! ! ! ! ! ! crypto pki trustpoint TP-self-signed-4284340423 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-4284340423 revocation-check none rsakeypair TP-self-signed-4284340423 ! ! crypto pki certificate chain TP-self-signed-4284340423 certificate self-signed 01 30820249 308201B2 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 34323834 33343034 3233301E 170D3036 30373034 31313435 35365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 32383433 34303432 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100D8A6 A745F6E5 609E6D7F 9F8016C7 621F32A2 EE51F239 EF6280F1 9154E006 ACD4CE81 37ED9C36 FDD16854 B8FAF33C D1195DAC F678D1EA A9F82608 8117F0E9 70E66116 F18A5C78 B00635B5 D73D3CB0 DB304259 1462056D 92A1AF30 0475992E 5043336B 6E1D9457 DC38EB3A 29131B02 4B55AE69 D85CD135 0B4084DF 6F087166 ECF30203 010001A3 71306F30 0F060355 1D130101 FF040530 030101FF 301C0603 551D1104 15301382 11436973 636F3138 34312E69 616D2E6C 6F63301F 0603551D 23041830 168014D2 8249E901 3B9A5982 FA2A6A19 23AD4D45 BD1F5430 1D060355 1D0E0416 0414D282 49E9013B 9A5982FA 2A6A1923 AD4D45BD 1F54300D 06092A86 4886F70D 01010405 00038181 00D39168 6AB71C22 00828678 D77A5759 9D89C5B9 DBBAB95F 63D69416 A4AD178B 76F5D2CB 90892496 6A5684F6 2DEC4F94 05DF771A 55AF3F75 E5949537 6EBF8E57 9B054521 6EBF59CF 928E6A73 EAA8850E 33634D17 C5E512E7 04E5CDC6 38D8F699 DE44BB43 000C1B3C BFB39D2F B13BD246 092D3189 3B35AE5A 8761618A 5157C988 F9 quit username administrator privilege 15 secret 5 $1$zDhS$8nxQMkpLvd67PjdHny4i0. username userw privilege 15 secret 5 $1$Wlfh$c6bhspqok.n8KkqvRsQf9. username hfanous secret 5 $1$5mbM$DNm/882S/uaW2Rtg5RlmJ. ! ! ! crypto isakmp policy 1 encr 3des hash md5 authentication pre-share ! crypto isakmp policy 100 encr 3des authentication pre-share group 2 crypto isakmp key user address Cairo WAN IP no-xauth crypto isakmp key user address Mercia WAN IP no-xauth crypto isakmp xauth timeout 15 ! crypto isakmp client configuration group Alex key VPNalex dns 192.168.100.10 192.168.100.11 wins 192.168.100.10 192.168.100.11 domain iam pool SDM_POOL_1 save-password netmask 255.255.255.0 ! crypto isakmp client configuration group cairo key VPNcairo dns 192.168.100.10 192.168.1.10 wins 192.168.100.10 192.168.1.10 pool SDM_POOL_2 save-password netmask 255.255.255.0 ! ! crypto ipsec transform-set Cairo esp-3des esp-md5-hmac crypto ipsec transform-set Mercia esp-3des esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec df-bit clear ! crypto dynamic-map SDM_DYNMAP_1 1 set transform-set ESP-3DES-SHA reverse-route ! ! crypto map Cairo client authentication list sdm_vpn_xauth_ml_1 crypto map Cairo isakmp authorization list sdm_vpn_group_ml_1 crypto map Cairo client configuration address respond crypto map Cairo 1 ipsec-isakmp description Cairo IPSec Tunnel set peer Cairo WAN IP set transform-set Cairo match address Cairo crypto map Cairo 2 ipsec-isakmp description Mercia set peer Mercia WAN IP set transform-set Mercia match address Mercia crypto map Cairo 65535 ipsec-isakmp dynamic SDM_DYNMAP_1 ! ! ! ! interface FastEthernet0/0 description WAN$FW_OUTSIDE$$ES_WAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ETH-WAN$ ip address WAN IP 255.255.255.248 ip access-group 101 in ip verify unicast reverse-path no ip unreachables no ip proxy-arp ip nbar protocol-discovery ip flow ingress ip flow egress ip nat outside ip inspect DEFAULT100 out ip ips sdm_ips_rule in ip ips sdm_ips_rule out ip virtual-reassembly no ip route-cache cef no ip route-cache duplex auto speed auto no mop enabled crypto map Cairo ! interface FastEthernet0/1 description LAN$FW_INSIDE$$ES_LAN$$ETH-LAN$ ip address 192.168.100.2 255.255.255.0 ip access-group 100 in ip nbar protocol-discovery ip flow ingress ip flow egress ip nat inside ip virtual-reassembly ip route-cache flow duplex auto speed auto no mop enabled ! router rip passive-interface FastEthernet0/1 network 192.168.1.0 network 192.168.85.0 network 192.168.100.0 network 192.168.101.0 no auto-summary ! ip local pool SDM_POOL_1 192.168.100.200 192.168.100.209 ip local pool SDM_POOL_2 192.168.100.210 192.168.100.219 ip classless ip route 0.0.0.0 0.0.0.0 ADSL Modem IP permanent ip route 192.168.1.0 255.255.255.0 FastEthernet0/0 permanent ip route 192.168.85.0 255.255.255.0 FastEthernet0/0 permanent ip route 192.168.101.0 255.255.255.0 192.168.100.199 permanent ! ip flow-top-talkers top 10 sort-by bytes cache-timeout 216000 ! ip http server ip http authentication local ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload ip nat inside source route-map SDM_RMAP_3 interface FastEthernet0/0 overload ! ip access-list extended Alex remark Alex NAT remark SDM_ACL Category=2 deny ip any host 192.168.100.200 deny ip any host 192.168.100.201 deny ip any host 192.168.100.202 deny ip any host 192.168.100.203 deny ip any host 192.168.100.204 deny ip any host 192.168.100.205 deny ip any host 192.168.100.206 deny ip any host 192.168.100.207 deny ip any host 192.168.100.208 deny ip any host 192.168.100.209 deny ip any host 192.168.100.210 deny ip any host 192.168.100.211 deny ip any host 192.168.100.212 deny ip any host 192.168.100.213 deny ip any host 192.168.100.214 deny ip any host 192.168.100.215 deny ip any host 192.168.100.216 deny ip any host 192.168.100.217 deny ip any host 192.168.100.218 deny ip any host 192.168.100.219 deny ip any host 192.168.100.220 deny ip any host 192.168.100.221 deny ip any host 192.168.100.222 deny ip any host 192.168.100.223 deny ip any host 192.168.100.224 deny ip any host 192.168.100.225 deny ip any host 192.168.100.226 deny ip any host 192.168.100.227 deny ip any host 192.168.100.228 deny ip any host 192.168.100.229 deny ip any host 192.168.100.230 deny ip any host 192.168.100.231 deny ip any host 192.168.100.232 deny ip any host 192.168.100.233 deny ip any host 192.168.100.234 deny ip any host 192.168.100.235 deny ip any host 192.168.100.236 deny ip any host 192.168.100.237 deny ip any host 192.168.100.238 deny ip any host 192.168.100.239 deny ip any host 192.168.100.240 deny ip any host 192.168.100.241 deny ip any host 192.168.100.242 deny ip any host 192.168.100.243 deny ip any host 192.168.100.244 deny ip any host 192.168.100.245 deny ip any host 192.168.100.246 deny ip any host 192.168.100.247 deny ip any host 192.168.100.248 deny ip any host 192.168.100.249 deny ip any host 192.168.100.250 remark Burg - Mercia - WAN deny ip 10.10.10.0 0.0.0.255 192.168.85.0 0.0.0.255 remark Burg - Mercia deny ip 192.168.101.0 0.0.0.255 192.168.85.0 0.0.0.255 remark Mercia - Burg deny ip 192.168.85.0 0.0.0.255 192.168.101.0 0.0.0.255 remark Burg - Cairo - WAN deny ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255 remark Burg - Cairo deny ip 192.168.101.0 0.0.0.255 192.168.1.0 0.0.0.255 remark Cairo - Burg deny ip 192.168.1.0 0.0.0.255 192.168.101.0 0.0.0.255 remark Cairo-Alex deny ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255 remark Alex-Cairo deny ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.255 remark Mercia-Alex deny ip 192.168.85.0 0.0.0.255 192.168.100.0 0.0.0.255 remark Alex-Mercia deny ip 192.168.100.0 0.0.0.255 192.168.85.0 0.0.0.255 permit ip 192.168.100.0 0.0.0.255 any ip access-list extended Cairo remark Cairo IPsec Tunnel remark SDM_ACL Category=4 remark Alex-Cairo permit ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.255 remark Cairo-Alex permit ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255 remark Cairo - Burg permit ip 192.168.1.0 0.0.0.255 192.168.101.0 0.0.0.255 remark Burg - Cairo permit ip 192.168.101.0 0.0.0.255 192.168.1.0 0.0.0.255 remark Burg - Cairo - WAN permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255 ip access-list extended Mercia remark Mercia IPSec Tunnel remark SDM_ACL Category=4 remark Alex-Mercia permit ip 192.168.100.0 0.0.0.255 192.168.85.0 0.0.0.255 remark Mercia-Alex permit ip 192.168.85.0 0.0.0.255 192.168.100.0 0.0.0.255 remark Mercia - Burg permit ip 192.168.85.0 0.0.0.255 192.168.101.0 0.0.0.255 remark Burg - Mercia permit ip 192.168.101.0 0.0.0.255 192.168.85.0 0.0.0.255 remark Burg - Mercia - WAN permit ip 10.10.10.0 0.0.0.255 192.168.85.0 0.0.0.255 ! logging trap errors access-list 1 remark INSIDE_IF=FastEthernet0/1 access-list 1 remark SDM_ACL Category=2 access-list 1 permit 192.168.100.0 0.0.0.255 access-list 100 remark auto generated by Cisco SDM Express firewall configuration access-list 100 remark SDM_ACL Category=1 access-list 100 deny ip 62.135.105.160 0.0.0.7 any access-list 100 deny ip host 255.255.255.255 any access-list 100 deny ip 127.0.0.0 0.255.255.255 any access-list 100 permit ip any any access-list 101 remark auto generated by Cisco SDM Express firewall configuration access-list 101 remark SDM_ACL Category=1 access-list 101 remark Burg WAN access-list 101 permit ip 10.10.10.0 0.0.0.255 192.168.85.0 0.0.0.255 access-list 101 remark Burg - Mercia - WAN access-list 101 permit ip 192.168.85.0 0.0.0.255 10.10.10.0 0.0.0.255 access-list 101 remark Burg - Mercia access-list 101 permit ip 192.168.85.0 0.0.0.255 192.168.101.0 0.0.0.255 access-list 101 remark Mercia - Burg access-list 101 permit ip 192.168.101.0 0.0.0.255 192.168.85.0 0.0.0.255 access-list 101 remark Burg - Cairo - WAN access-list 101 permit ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.0.255 access-list 101 remark Burg - Cairo access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.101.0 0.0.0.255 access-list 101 remark Cairo - Burg access-list 101 permit ip 192.168.101.0 0.0.0.255 192.168.1.0 0.0.0.255 access-list 101 permit tcp 192.168.85.0 0.0.0.255 any access-list 101 remark Mercia-Alex access-list 101 permit ip 192.168.100.0 0.0.0.255 192.168.85.0 0.0.0.255 access-list 101 remark Alex-Mercia access-list 101 permit ip 192.168.85.0 0.0.0.255 192.168.100.0 0.0.0.255 access-list 101 permit udp host Mercia WAN IP host WAN IP eq non500-isakmp access-list 101 permit udp host Mercia WAN IP host WAN IP eq isakmp access-list 101 permit esp host Mercia WAN IP host WAN IP access-list 101 permit ahp host Mercia WAN IP host WAN IP access-list 101 remark Cairo-Alex access-list 101 permit ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.255 access-list 101 remark IPSec Rule access-list 101 permit ip host 192.168.1.0 host 192.168.100.0 access-list 101 remark Alex-Cairo access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255 access-list 101 permit udp host Cairo WAN IP host WAN IP eq non500-isakmp access-list 101 permit udp host Cairo WAN IP host WAN IP eq isakmp access-list 101 permit esp host Cairo WAN IP host WAN IP access-list 101 permit ahp host Cairo WAN IP host WAN IP access-list 101 remark IPSec Rule access-list 101 permit ip host Cairo WAN IP 62.135.105.160 0.0.0.7 access-list 101 permit ip host 192.168.100.200 any access-list 101 permit ip host 192.168.100.201 any access-list 101 permit ip host 192.168.100.202 any access-list 101 permit ip host 192.168.100.203 any access-list 101 permit ip host 192.168.100.204 any access-list 101 permit ip host 192.168.100.205 any access-list 101 permit ip host 192.168.100.206 any access-list 101 permit ip host 192.168.100.207 any access-list 101 permit ip host 192.168.100.208 any access-list 101 permit ip host 192.168.100.209 any access-list 101 permit ip host 192.168.100.210 any access-list 101 permit ip host 192.168.100.211 any access-list 101 permit ip host 192.168.100.212 any access-list 101 permit ip host 192.168.100.213 any access-list 101 permit ip host 192.168.100.214 any access-list 101 permit ip host 192.168.100.215 any access-list 101 permit ip host 192.168.100.216 any access-list 101 permit ip host 192.168.100.217 any access-list 101 permit ip host 192.168.100.218 any access-list 101 permit ip host 192.168.100.219 any access-list 101 permit ip host 192.168.100.220 any access-list 101 permit ip host 192.168.100.221 any access-list 101 permit ip host 192.168.100.222 any access-list 101 permit ip host 192.168.100.223 any access-list 101 permit ip host 192.168.100.224 any access-list 101 permit ip host 192.168.100.225 any access-list 101 permit ip host 192.168.100.226 any access-list 101 permit ip host 192.168.100.227 any access-list 101 permit ip host 192.168.100.228 any access-list 101 permit ip host 192.168.100.229 any access-list 101 permit ip host 192.168.100.230 any access-list 101 permit ip host 192.168.100.231 any access-list 101 permit ip host 192.168.100.232 any access-list 101 permit ip host 192.168.100.233 any access-list 101 permit ip host 192.168.100.234 any access-list 101 permit ip host 192.168.100.235 any access-list 101 permit ip host 192.168.100.236 any access-list 101 permit ip host 192.168.100.237 any access-list 101 permit ip host 192.168.100.238 any access-list 101 permit ip host 192.168.100.239 any access-list 101 permit ip host 192.168.100.240 any access-list 101 permit ip host 192.168.100.241 any access-list 101 permit ip host 192.168.100.242 any access-list 101 permit ip host 192.168.100.243 any access-list 101 permit ip host 192.168.100.244 any access-list 101 permit ip host 192.168.100.245 any access-list 101 permit ip host 192.168.100.246 any access-list 101 permit ip host 192.168.100.247 any access-list 101 permit ip host 192.168.100.248 any access-list 101 permit ip host 192.168.100.249 any access-list 101 permit ip host 192.168.100.250 any access-list 101 permit udp any host WAN IP eq non500-isakmp access-list 101 permit udp any host WAN IP eq isakmp access-list 101 permit esp any host WAN IP access-list 101 permit ahp any host WAN IP access-list 101 permit udp host 192.168.100.11 eq domain host WAN IP access-list 101 permit udp host 192.168.100.10 eq domain host WAN IP access-list 101 remark cairo access-list 101 permit ip 192.168.1.0 0.0.0.255 any access-list 101 remark Burg access-list 101 permit ip 192.168.101.0 0.0.0.255 any access-list 101 deny ip 192.168.100.0 0.0.0.255 any access-list 101 permit icmp any host WAN IP echo-reply access-list 101 permit icmp any host WAN IP time-exceeded access-list 101 permit icmp any host WAN IP unreachable access-list 101 deny ip 10.0.0.0 0.255.255.255 any access-list 101 deny ip 172.16.0.0 0.15.255.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list 101 deny ip 127.0.0.0 0.255.255.255 any access-list 101 deny ip host 255.255.255.255 any access-list 101 deny ip host 0.0.0.0 any access-list 101 deny ip any any access-list 102 remark Burg NAT access-list 102 remark SDM_ACL Category=2 access-list 102 remark Burg - Mercia - WAN access-list 102 deny ip 10.10.10.0 0.0.0.255 192.168.85.0 0.0.0.255 access-list 102 remark Burg - Mercia access-list 102 deny ip 192.168.101.0 0.0.0.255 192.168.85.0 0.0.0.255 access-list 102 remark Mercia - Burg access-list 102 deny ip 192.168.85.0 0.0.0.255 192.168.101.0 0.0.0.255 access-list 102 remark Burg - Cairo - WAN access-list 102 deny ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255 access-list 102 remark Burg - Cairo access-list 102 deny ip 192.168.101.0 0.0.0.255 192.168.1.0 0.0.0.255 access-list 102 remark Cairo - Burg access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.101.0 0.0.0.255 access-list 102 deny ip any host 192.168.100.200 access-list 102 deny ip any host 192.168.100.201 access-list 102 deny ip any host 192.168.100.202 access-list 102 deny ip any host 192.168.100.203 access-list 102 deny ip any host 192.168.100.204 access-list 102 deny ip any host 192.168.100.205 access-list 102 deny ip any host 192.168.100.206 access-list 102 deny ip any host 192.168.100.207 access-list 102 deny ip any host 192.168.100.208 access-list 102 deny ip any host 192.168.100.209 access-list 102 deny ip any host 192.168.100.210 access-list 102 deny ip any host 192.168.100.211 access-list 102 deny ip any host 192.168.100.212 access-list 102 deny ip any host 192.168.100.213 access-list 102 deny ip any host 192.168.100.214 access-list 102 deny ip any host 192.168.100.215 access-list 102 deny ip any host 192.168.100.216 access-list 102 deny ip any host 192.168.100.217 access-list 102 deny ip any host 192.168.100.218 access-list 102 deny ip any host 192.168.100.219 access-list 102 deny ip any host 192.168.100.220 access-list 102 deny ip any host 192.168.100.221 access-list 102 deny ip any host 192.168.100.222 access-list 102 deny ip any host 192.168.100.223 access-list 102 deny ip any host 192.168.100.224 access-list 102 deny ip any host 192.168.100.225 access-list 102 deny ip any host 192.168.100.226 access-list 102 deny ip any host 192.168.100.227 access-list 102 deny ip any host 192.168.100.228 access-list 102 deny ip any host 192.168.100.229 access-list 102 deny ip any host 192.168.100.230 access-list 102 deny ip any host 192.168.100.231 access-list 102 deny ip any host 192.168.100.232 access-list 102 deny ip any host 192.168.100.233 access-list 102 deny ip any host 192.168.100.234 access-list 102 deny ip any host 192.168.100.235 access-list 102 deny ip any host 192.168.100.236 access-list 102 deny ip any host 192.168.100.237 access-list 102 deny ip any host 192.168.100.238 access-list 102 deny ip any host 192.168.100.239 access-list 102 deny ip any host 192.168.100.240 access-list 102 deny ip any host 192.168.100.241 access-list 102 deny ip any host 192.168.100.242 access-list 102 deny ip any host 192.168.100.243 access-list 102 deny ip any host 192.168.100.244 access-list 102 deny ip any host 192.168.100.245 access-list 102 deny ip any host 192.168.100.246 access-list 102 deny ip any host 192.168.100.247 access-list 102 deny ip any host 192.168.100.248 access-list 102 deny ip any host 192.168.100.249 access-list 102 deny ip any host 192.168.100.250 access-list 102 remark Cairo-Alex access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255 access-list 102 remark Alex-Cairo access-list 102 deny ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.255 access-list 102 remark Mercia-Alex access-list 102 deny ip 192.168.85.0 0.0.0.255 192.168.100.0 0.0.0.255 access-list 102 remark Alex-Mercia access-list 102 deny ip 192.168.100.0 0.0.0.255 192.168.85.0 0.0.0.255 access-list 102 permit ip 192.168.101.0 0.0.0.255 any snmp-server community iaromatics RO no cdp run ! route-map SDM_RMAP_1 permit 1 match ip address 102 ! route-map SDM_RMAP_3 permit 1 match ip address Alex ! ! ! ! control-plane ! ! ! ! ! ! ! ! banner login Authorized access only! Disconnect IMMEDIATELY if you are not an authorized user! ! line con 0 transport output telnet line aux 0 transport output telnet line vty 0 4 transport input telnet ssh line vty 5 15 transport input telnet ssh ! scheduler allocate 4000 1000 end