Current configuration : 12177 bytes ! version 12.4 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname SR520 ! boot-start-marker boot-end-marker ! logging message-counter syslog enable secret 5 $1$pUwH$.VWJ15mt5/0k.0tXQNtGi. ! aaa new-model ! ! aaa authentication login default local aaa authentication login Foxtrot_sdm_easyvpn_xauth_ml_1 local aaa authorization exec default local aaa authorization network Foxtrot_sdm_easyvpn_group_ml_1 local ! ! aaa session-id common ! crypto pki trustpoint TP-self-signed-3133312779 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-3133312779 revocation-check none rsakeypair TP-self-signed-3133312779 ! ! crypto pki certificate chain TP-self-signed-3133312779 certificate self-signed 01 3082023D 308201A6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 33313333 33313237 3739301E 170D3032 30333034 31383334 31335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 31333333 31323737 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100C055 7FBEC196 CDF2156C 00FB3357 124C3334 4FAACDBA 523BF3E7 C50AA846 2237C205 36BD71E5 7FDD0F14 7B907835 FD75727B 880106A1 00CD60AD 2E4FA8A1 217CBA82 56A30F45 49D0A833 D3911E5E 8E40243F 389D7937 1DD2DA4A 7E30E1A4 AE7E666A 729768F9 AEC825F4 6564026A 02F3B427 6F079E02 52E67B94 797F65C1 35BD0203 010001A3 65306330 0F060355 1D130101 FF040530 030101FF 30100603 551D1104 09300782 05535235 3230301F 0603551D 23041830 168014AF 02830610 5140B726 8BAB2483 F2A6F74F 78B7DB30 1D060355 1D0E0416 0414AF02 83061051 40B7268B AB2483F2 A6F74F78 B7DB300D 06092A86 4886F70D 01010405 00038181 00128654 58015AAC B8AAACC4 AD7A29FB 743FA382 44BF099C F6B7B704 7C43C6EE 2971CE84 C60C2F41 81A828EB 33A22175 C1E4B5B8 5334604C 9E2651F0 EECB38DC ABA6F504 23E3A601 633494CD 5E9BE051 71A757CC DD2D5EDD 65EEE383 0DC4ECBA B671A2F5 AB431B33 989B4CEC 3747D7CE F2D25A51 035CCDA8 37841988 4067EDC4 A8 quit dot11 syslog ! dot11 ssid NetHumans vlan 75 authentication open ! ip source-route ! ! ip dhcp excluded-address 192.168.75.1 192.168.75.10 ! ip dhcp pool inside network 192.168.75.0 255.255.255.0 default-router 192.168.75.1 dns-server 192.168.75.1 ! ! ip cef ip inspect log drop-pkt ! no ipv6 cef multilink bundle-name authenticated parameter-map type inspect z1-z2-pmap audit-trail on ! ! username cisco privilege 15 secret 5 $1$pOzo$paREgWgFYZgGTjvXV3o/n. username falcon secret 5 $1$.Soe$VeAAAAAAAAAAAAAAAAAAA/ ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 ! crypto isakmp client configuration group EZVPN_GROUP_1 key AAAAAAAAAATYF465 dns 192.168.135.10 192.168.75.1 pool SDM_POOL_1 acl 104 max-users 10 crypto isakmp profile sdm-ike-profile-1 match identity group EZVPN_GROUP_1 client authentication list Foxtrot_sdm_easyvpn_xauth_ml_1 isakmp authorization list Foxtrot_sdm_easyvpn_group_ml_1 client configuration address respond virtual-template 1 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! crypto ipsec profile SDM_Profile1 set transform-set ESP-3DES-SHA set isakmp-profile sdm-ike-profile-1 ! ! archive log config hidekeys ! ! ! class-map type inspect match-any SDM_AH match access-group name SDM_AH class-map type inspect match-any CMAP_non500isakmp match access-group 106 class-map type inspect match-any SDM-Voice-permit match protocol sip class-map type inspect match-any SDM_IP match access-group name SDM_IP class-map type inspect match-any SDM_ESP match access-group name SDM_ESP class-map type inspect match-any CMAP_isakmp match access-group 105 class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC match class-map SDM_AH match class-map SDM_ESP match class-map CMAP_isakmp match class-map CMAP_non500isakmp class-map type inspect match-all SDM_EASY_VPN_SERVER_PT match class-map SDM_EASY_VPN_SERVER_TRAFFIC class-map type inspect match-any sdm-cls-icmp-access match protocol icmp match protocol tcp match protocol udp class-map type inspect match-any sdm-cls-insp-traffic match protocol cuseeme match protocol dns match protocol ftp match protocol h323 match protocol https match protocol icmp match protocol imap match protocol pop3 match protocol netshow match protocol shell match protocol realmedia match protocol rtsp match protocol smtp extended match protocol sql-net match protocol streamworks match protocol tftp match protocol vdolive match protocol tcp match protocol udp class-map type inspect match-all sdm-nat-h323-1 match access-group 103 match protocol h323 class-map type inspect match-all SDM-inspect-staticnat-in match access-group name staticnat class-map type inspect match-all sdm-invalid-src match access-group 100 class-map type inspect match-all dhcp_out_self match access-group name dhcp-resp-permit class-map type inspect match-all dhcp_self_out match access-group name dhcp-req-permit class-map type inspect match-all sdm-nat-sip-2 match access-group 102 match protocol sip class-map type inspect match-all sdm-protocol-http match protocol http class-map type inspect match-all sdm-nat-sip-1 match access-group 101 match protocol sip ! ! policy-map type inspect sdm-permit-icmpreply class type inspect dhcp_self_out pass class type inspect sdm-cls-icmp-access inspect class class-default pass policy-map type inspect sdm-inspect class type inspect SDM-Voice-permit pass class type inspect sdm-cls-insp-traffic inspect class type inspect sdm-invalid-src drop log class type inspect sdm-protocol-http inspect z1-z2-pmap class class-default pass policy-map type inspect sdm-inspect-voip-in class type inspect SDM-inspect-staticnat-in pass class type inspect SDM-Voice-permit pass class type inspect sdm-nat-sip-1 inspect class type inspect sdm-nat-sip-2 inspect class type inspect sdm-nat-h323-1 inspect class class-default drop policy-map type inspect sdm-permit class type inspect SDM_EASY_VPN_SERVER_PT pass class type inspect dhcp_out_self pass class class-default drop policy-map type inspect sdm-permit-ip class type inspect SDM_IP pass class class-default drop log ! zone security ezvpn-zone zone security out-zone zone security in-zone zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone service-policy type inspect sdm-permit-ip zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone service-policy type inspect sdm-permit-ip zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone service-policy type inspect sdm-permit-ip zone-pair security sdm-zp-self-out source self destination out-zone service-policy type inspect sdm-permit-icmpreply zone-pair security sdm-zp-out-in source out-zone destination in-zone service-policy type inspect sdm-inspect-voip-in zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone service-policy type inspect sdm-permit-ip zone-pair security sdm-zp-out-self source out-zone destination self service-policy type inspect sdm-permit zone-pair security sdm-zp-in-out source in-zone destination out-zone service-policy type inspect sdm-inspect ! bridge irb ! ! interface ATM0 no ip address no atm ilmi-keepalive dsl operating-mode auto ! interface ATM0.1 point-to-point pvc 8/81 pppoe-client dial-pool-number 1 ! ! interface FastEthernet0 switchport trunk native vlan 75 switchport mode trunk macro description cisco-switch ! interface FastEthernet1 switchport access vlan 50 ! interface FastEthernet2 switchport access vlan 75 ! interface FastEthernet3 switchport access vlan 75 ! interface Virtual-Template1 type tunnel ip unnumbered BVI75 zone-member security ezvpn-zone tunnel mode ipsec ipv4 tunnel protection ipsec profile SDM_Profile1 ! interface Dot11Radio0 no ip address ! encryption vlan 75 key 1 size 128bit 7 3DBD35B65AAAAAA291F2BB29181A transmit-ke y encryption vlan 75 mode wep mandatory ! ssid NetHumans ! speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0 station-role root ! interface Dot11Radio0.75 encapsulation dot1Q 75 native bridge-group 75 bridge-group 75 subscriber-loop-control bridge-group 75 spanning-disabled bridge-group 75 block-unknown-source no bridge-group 75 source-learning no bridge-group 75 unicast-flooding ! interface Vlan1 no ip address bridge-group 1 ! interface Vlan75 no ip address bridge-group 75 bridge-group 75 spanning-disabled ! interface Vlan100 no ip address bridge-group 100 ! interface Vlan50 no ip address bridge-group 50 ! interface Dialer1 description $FW_OUTSIDE$ ip address negotiated ip mtu 1452 ip nat outside ip virtual-reassembly zone-member security out-zone encapsulation ppp dialer pool 1 dialer-group 1 ppp authentication chap pap callin ppp chap hostname internetuser ppp chap password 7 AAAAAAAABBC0C0517 ppp pap sent-username internetuser password 7 AAAAAAAABBC0C0517 ppp ipcp dns request ! interface BVI75 description $FW_INSIDE$ ip address 192.168.75.1 255.255.255.0 ip nat inside ip virtual-reassembly zone-member security in-zone ip tcp adjust-mss 1412 ! interface BVI1 no ip address ! interface BVI100 no ip address ! interface BVI50 description $FW_INSIDE$ ip address 192.168.50.1 255.255.255.0 zone-member security in-zone ! ip local pool SDM_POOL_1 192.168.135.221 192.168.135.230 ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 Dialer1 ip route 10.1.1.0 255.255.255.0 192.168.75.2 ip route 10.1.10.0 255.255.255.0 192.168.75.2 ip route 192.168.50.0 255.255.255.0 BVI50 ip route 192.168.135.0 255.255.255.0 192.168.75.2 ! ip http server ip http authentication local ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ip dns server ip nat inside source list 1 interface Dialer1 overload ip nat inside source static tcp 192.168.75.2 5060 interface Dialer1 5060 ip nat inside source static udp 192.168.75.2 5060 interface Dialer1 5060 ip nat inside source static tcp 192.168.75.2 1720 interface Dialer1 1720 ! ip access-list extended SDM_AH remark SDM_ACL Category=1 permit ahp any any ip access-list extended SDM_ESP remark SDM_ACL Category=1 permit esp any any ip access-list extended SDM_IP remark SDM_ACL Category=1 permit ip any any ip access-list extended dhcp-req-permit remark SDM_ACL Category=1 permit udp any eq bootpc any eq bootps ip access-list extended dhcp-resp-permit remark SDM_ACL Category=1 permit udp any eq bootps any eq bootpc ip access-list extended staticnat remark SDM_ACL Category=1 permit tcp any any eq 5060 permit udp any any eq 5060 permit tcp any any eq 1720 ! access-list 1 remark SDM_ACL Category=2 access-list 1 permit 192.168.75.0 0.0.0.255 access-list 1 permit 10.1.1.0 0.0.0.255 access-list 1 permit 10.1.10.0 0.0.0.255 access-list 1 permit 192.168.135.0 0.0.0.255 /* I Changed because my data network address in the UC520 is 192.168.135.0 */ access-list 100 remark SDM_ACL Category=128 access-list 100 permit ip host 255.255.255.255 any access-list 100 permit ip 127.0.0.0 0.255.255.255 any access-list 101 remark SDM_ACL Category=0 access-list 101 permit ip any host 192.168.75.2 access-list 102 remark SDM_ACL Category=0 access-list 102 permit ip any host 192.168.75.2 access-list 103 remark SDM_ACL Category=0 access-list 103 permit ip any host 192.168.75.2 access-list 104 remark SDM_ACL Category=4 ip access-list extended SDM_AH remark SDM_ACL Category=1 permit ahp any any ip access-list extended SDM_ESP remark SDM_ACL Category=1 permit esp any any ip access-list extended SDM_IP remark SDM_ACL Category=1 permit ip any any ip access-list extended dhcp-req-permit remark SDM_ACL Category=1 permit udp any eq bootpc any eq bootps ip access-list extended dhcp-resp-permit remark SDM_ACL Category=1 permit udp any eq bootps any eq bootpc ip access-list extended staticnat remark SDM_ACL Category=1 permit tcp any any eq 5060 permit udp any any eq 5060 permit tcp any any eq 1720 ! access-list 1 remark SDM_ACL Category=2 access-list 1 permit 192.168.75.0 0.0.0.255 access-list 1 permit 10.1.1.0 0.0.0.255 access-list 1 permit 10.1.10.0 0.0.0.255 access-list 1 permit 192.168.135.0 0.0.0.255 access-list 100 remark SDM_ACL Category=128 access-list 100 permit ip host 255.255.255.255 any access-list 100 permit ip 127.0.0.0 0.255.255.255 any access-list 101 remark SDM_ACL Category=0 access-list 101 permit ip any host 192.168.75.2 access-list 102 remark SDM_ACL Category=0 access-list 102 permit ip any host 192.168.75.2 access-list 103 remark SDM_ACL Category=0 access-list 103 permit ip any host 192.168.75.2 access-list 104 remark SDM_ACL Category=4 access-list 104 permit ip 192.168.135.0 0.0.0.255 any access-list 104 permit ip 192.168.75.0 0.0.0.255 any access-list 105 remark SDM_ACL Category=1 access-list 105 permit udp any any eq isakmp access-list 106 remark SDM_ACL Category=1 access-list 106 permit udp any any eq non500-isakmp dialer-list 1 protocol ip permit ! ! ! ! ! control-plane ! bridge 1 protocol ieee bridge 1 route ip bridge 50 protocol ieee bridge 50 route ip bridge 75 route ip bridge 100 protocol ieee bridge 100 route ip banner login ^CSR520 Base Config - MFG 1.0 ^C ! line con 0 no modem enable line aux 0 line vty 0 4 transport input telnet ssh ! scheduler max-task-time 5000 end