version 12.4 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname myrouter-cr10 ! boot-start-marker boot-end-marker ! logging buffered 51200 warnings logging console errors enable secret removed ! no aaa new-model ! resource policy ! ip cef ! ! no ip dhcp use vrf connected ip dhcp excluded-address 172.18.46.1 172.18.46.128 ! ip dhcp pool mytest-test import all network 172.18.46.0 255.255.255.0 domain-name mydomain.com dns-server 172.18.18.65 172.18.16.65 default-router 172.18.46.1 netbios-name-server 172.18.18.65 172.18.16.65 ! ! ip domain name mydomain.com ip name-server ISP DNS 1 ip name-server ISP DNS 2 ip ddns update method sdm_ddns1 HTTP add http://removed@members.dyndns.org/nic/update?system=dyndns&hostname=&myip= remove http://removed@members.dyndns.org/nic/update?system=dyndns&hostname=&myip= ! ! ! ! ! ! ! crypto isakmp policy 1 hash md5 authentication pre-share group 2 crypto isakmp key adsldynvpn address VPN IP 1 no-xauth crypto isakmp key adsldynvpn address VPN IP 2 no-xauth ! ! crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac ! crypto map SDM_CMAP_1 1 ipsec-isakmp description Tunnel toVPN IP 2 set peer VPN IP 2 set transform-set ESP-3DES-MD5 match address 100 crypto map SDM_CMAP_1 2 ipsec-isakmp description Tunnel toVPN IP 1 set peer VPN IP 1 set transform-set ESP-3DES-MD5 match address 103 ! bridge irb ! ! ! interface ATM0 no ip address no atm ilmi-keepalive dsl operating-mode auto ! interface ATM0.1 point-to-point no snmp trap link-status pvc 8/35 pppoe-client dial-pool-number 1 ! ! interface FastEthernet0 description connected to client-inside ! interface FastEthernet1 description nha-outside switchport access vlan 2 ! interface FastEthernet2 description nha-outside switchport access vlan 2 ! interface FastEthernet3 description nha-outside switchport access vlan 2 shutdown ! interface Dot11Radio0 no ip address shutdown speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0 no preamble-short station-role root ! interface Vlan1 description connected to testclient-inside ip address 172.20.96.7 255.255.252.0 ip nat outside ip virtual-reassembly ip tcp adjust-mss 1452 ! interface Vlan2 no ip address bridge-group 1 ! interface Dialer0 ip ddns update hostname myrouter-cr10.dyndns.org ip ddns update sdm_ddns1 ip address negotiated ip mtu 1452 ip nat outside ip virtual-reassembly encapsulation ppp dialer pool 1 dialer-group 1 ppp authentication chap pap callin ppp pap sent-username removed crypto map SDM_CMAP_1 ! interface Dialer1 no ip address ! interface BVI1 description my-test ip address 172.18.46.1 255.255.255.0 ip nat inside ip virtual-reassembly ip tcp adjust-mss 1452 ! ip route 0.0.0.0 0.0.0.0 Dialer0 ip route 172.20.96.0 255.255.252.0 172.20.96.1 ! ! ip http server ip http authentication local no ip http secure-server ip nat inside source route-map SDM_RMAP_5 interface Dialer0 overload ip nat inside source route-map SDM_RMAP_6 interface Vlan1 overload ! ip radius source-interface BVI1 access-list 100 remark SDM_ACL Category=4 access-list 100 remark IPSec Rule access-list 100 permit ip 172.18.46.0 0.0.0.255 172.18.16.0 0.0.1.255 access-list 100 remark IPSec Rule access-list 100 permit ip 172.18.46.0 0.0.0.255 MY NETWORK EXT. IP RANGE 0.0.0.127 access-list 100 remark SDM_ACL Category=4 access-list 100 remark IPSec Rule access-list 100 remark IPSec Rule access-list 103 remark SDM_ACL Category=4 access-list 103 remark IPSec Rule access-list 103 permit ip 172.18.46.0 0.0.0.255 172.18.18.0 0.0.1.255 access-list 103 remark SDM_ACL Category=4 access-list 103 remark IPSec Rule access-list 106 remark SDM_ACL Category=2 access-list 106 remark deny internet-nat to my office A-dmz access-list 106 deny ip 172.18.46.0 0.0.0.255 MY NETWORK EXT. IP RANGE 0.0.0.127 access-list 106 remark deny internet-nat to office A network access-list 106 deny ip 172.18.46.0 0.0.0.255 172.18.18.0 0.0.1.255 access-list 106 remark deny internet-nat to office B network access-list 106 deny ip 172.18.46.0 0.0.0.255 172.18.16.0 0.0.1.255 access-list 106 remark deny internet-nat to testclient network access-list 106 deny ip 172.18.46.0 0.0.0.255 172.20.96.0 0.0.3.255 access-list 106 permit ip 172.18.46.0 0.0.0.255 any access-list 107 remark SDM_ACL Category=2 access-list 107 remark deny testclient-nat for destination my office B-dmz access-list 107 deny ip 172.18.46.0 0.0.0.255 MY NETWORK EXT. IP RANGE 0.0.0.127 access-list 107 remark deny mex-nat for destination nha-jhb access-list 107 deny ip 172.18.46.0 0.0.0.255 172.18.18.0 0.0.1.255 access-list 107 remark deny testclient-nat for destination office B network access-list 107 deny ip 172.18.46.0 0.0.0.255 172.18.16.0 0.0.1.255 access-list 107 permit ip 172.18.46.0 0.0.0.255 172.20.96.0 0.0.3.255 dialer-list 1 protocol ip permit ! ! ! route-map SDM_RMAP_5 permit 1 match ip address 106 ! route-map SDM_RMAP_6 permit 1 match ip address 107 ! ! control-plane ! bridge 1 protocol ieee bridge 1 route ip ! line con 0 no modem enable line aux 0 line vty 0 4 password removed login transport input telnet ssh ! scheduler max-task-time 5000 ntp clock-period 17175108 ntp server removed prefer ntp server removed ! webvpn context Default_context ssl authenticate verify all ! no inservice ! end nha-ctn-cr10#ping www.google.co.za Translating "www.google.co.za"...domain server (ISP 1 DNS ) [OK] Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 64.233.183.104, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 612/622/628 ms nha-ctn-cr10#ping www.google.com source bv 1 Translating "www.google.com"...domain server (ISP 1 DNS) [OK] Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 64.233.183.104, timeout is 2 seconds: Packet sent with a source address of 172.18.46.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 628/632/640 ms nha-ctn-cr10#ping www.google.com source bv 1 Translating "www.google.com"...domain server (ISP 1 DNS) [OK] Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 64.233.167.104, timeout is 2 seconds: Packet sent with a source address of 172.18.46.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 552/559/564 ms nha-ctn-cr10#sh ip nat trans Pro Inside global Inside local Outside local Outside global icmp 41.240.18.224:10 172.18.46.1:10 64.233.183.104:10 64.233.183.104:10 icmp 41.240.18.224:11 172.18.46.1:11 64.233.167.104:11 64.233.167.104:11 nha-ctn-cr10#sh ip nat trans Pro Inside global Inside local Outside local Outside global icmp 41.240.18.224:10 172.18.46.1:10 64.233.183.104:10 64.233.183.104:10 icmp 41.240.18.224:11 172.18.46.1:11 64.233.167.104:11 64.233.167.104:11 nha-ctn-cr10#sh ip nat trans Pro Inside global Inside local Outside local Outside global icmp 41.240.18.224:10 172.18.46.1:10 64.233.183.104:10 64.233.183.104:10 icmp 41.240.18.224:11 172.18.46.1:11 64.233.167.104:11 64.233.167.104:11 nha-ctn-cr10#sh ip nat trans Pro Inside global Inside local Outside local Outside global icmp 41.240.18.224:10 172.18.46.1:10 64.233.183.104:10 64.233.183.104:10 icmp 41.240.18.224:11 172.18.46.1:11 64.233.167.104:11 64.233.167.104:11 nha-ctn-cr10#sh ip nat trans Pro Inside global Inside local Outside local Outside global icmp 41.240.18.224:10 172.18.46.1:10 64.233.183.104:10 64.233.183.104:10 icmp 41.240.18.224:11 172.18.46.1:11 64.233.167.104:11 64.233.167.104:11 nha-ctn-cr10#sh ip nat trans Pro Inside global Inside local Outside local Outside global icmp 41.240.18.224:11 172.18.46.1:11 64.233.167.104:11 64.233.167.104:11 nha-ctn-cr10#sh ip nat trans Pro Inside global Inside local Outside local Outside global icmp 41.240.18.224:11 172.18.46.1:11 64.233.167.104:11 64.233.167.104:11 nha-ctn-cr10#sh ip nat trans Pro Inside global Inside local Outside local Outside global icmp 41.240.18.224:11 172.18.46.1:11 64.233.167.104:11 64.233.167.104:11 nha-ctn-cr10#sh ip nat trans Pro Inside global Inside local Outside local Outside global icmp 41.240.18.224:11 172.18.46.1:11 64.233.167.104:11 64.233.167.104:11 nha-ctn-cr10#sh ip nat trans Pro Inside global Inside local Outside local Outside global icmp 41.240.18.224:11 172.18.46.1:11 64.233.167.104:11 64.233.167.104:11 nha-ctn-cr10#sh ip nat trans Pro Inside global Inside local Outside local Outside global icmp 41.240.18.224:11 172.18.46.1:11 64.233.167.104:11 64.233.167.104:11 nha-ctn-cr10#sh ip nat trans Pro Inside global Inside local Outside local Outside global icmp 41.240.18.224:11 172.18.46.1:11 64.233.167.104:11 64.233.167.104:11 nha-ctn-cr10#sh ip nat trans Pro Inside global Inside local Outside local Outside global icmp 41.240.18.224:11 172.18.46.1:11 64.233.167.104:11 64.233.167.104:11 nha-ctn-cr10#sh ip nat trans Pro Inside global Inside local Outside local Outside global icmp 41.240.18.224:11 172.18.46.1:11 64.233.167.104:11 64.233.167.104:11 nha-ctn-cr10#sh ip nat trans Pro Inside global Inside local Outside local Outside global icmp 41.240.18.224:11 172.18.46.1:11 64.233.167.104:11 64.233.167.104:11 nha-ctn-cr10#sh ip nat trans Pro Inside global Inside local Outside local Outside global icmp 41.240.18.224:11 172.18.46.1:11 64.233.167.104:11 64.233.167.104:11 nha-ctn-cr10#sh ip nat trans Pro Inside global Inside local Outside local Outside global icmp 41.240.18.224:11 172.18.46.1:11 64.233.167.104:11 64.233.167.104:11 nha-ctn-cr10#sh ip nat trans Pro Inside global Inside local Outside local Outside global icmp 41.240.18.224:11 172.18.46.1:11 64.233.167.104:11 64.233.167.104:11 nha-ctn-cr10#sh ip nat trans Pro Inside global Inside local Outside local Outside global icmp 41.240.18.224:11 172.18.46.1:11 64.233.167.104:11 64.233.167.104:11 nha-ctn-cr10#sh ip nat trans nha-ctn-cr10#sh ip nat trans nha-ctn-cr10#sh ip nat trans nha-ctn-cr10#sh ip nat trans nha-ctn-cr10#sh ip nat trans nha-ctn-cr10#sh ip nat trans nha-ctn-cr10#sh ip nat trans nha-ctn-cr10#sh ip nat trans myrouter-cr10#