hub851#wr t version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption ! hostname hub851 ! boot-start-marker boot-end-marker ! logging buffered 16000 debugging no logging console enable password xxxxxxxxxx ! aaa new-model ! ! aaa authentication login clientauth local aaa authorization network groupauthor local ! aaa session-id common ! resource policy ! clock timezone NZST 12 clock summer-time NZDT recurring last Sun Sep 2:00 1 Sun Apr 3:00 ip subnet-zero no ip source-route ip icmp rate-limit unreachable 2 ip dhcp ping packets 0 ! ! ip cef ip inspect name FW ftp ip inspect name FW smtp ip inspect name FW udp ip inspect name FW tcp ip inspect name FW http java-list 3 no ip bootp server no ip domain lookup ip domain name xxxxxxxxx ip name-server a.b.c.d ip ssh time-out 60 ! ! crypto pki trustpoint TP-self-signed-3300414296 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-3300414296 revocation-check none rsakeypair TP-self-signed-3300414296 ! ! crypto pki certificate chain TP-self-signed-3300414296 certificate self-signed 01 3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 33333030 34313432 3936301E 170D3032 30333031 30303036 35365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 33303034 31343239 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100D345 C7A1064E B03B189C 72A39818 792EB9E1 44926BFA 2E65283B 30DDE18C C7CA5AAA 7DC1DB46 133CEBF9 F86990C5 D96E7641 66706D8F 6DFC4918 1CE1E1B0 52D69D1F F9EDE99B CC8C3960 CAC28B57 891E0C8C 4C1A92E0 A3886353 1EC4801D 052B7A02 5D37A1BF 81D31427 CDC1EE56 E1FBF5BE 9FF00B5C 602FE496 4083949E B2ED0203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603 551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D 301F0603 551D2304 18301680 14F1735E E943DA26 6A34BBCC FEAC0D66 94E011BF 23301D06 03551D0E 04160414 F1735EE9 43DA266A 34BBCCFE AC0D6694 E011BF23 300D0609 2A864886 F70D0101 04050003 818100B5 C0B61471 4FA0EE1C EE9E5EF9 2D9A1F72 1BCB64F6 F03F4BFD EE795370 DEC8DFD7 ED7F69B6 40E63502 F76C9EAF BBDFDF54 3A4E89C9 27C3E335 7B839416 D8C91481 3CF35275 09A2C26D A4C20CEE 67BAF397 44FCFC38 968679C2 B4F626AD 4CE1D320 085ECAC0 5BD19068 25A47C94 23722242 4F531872 1D437AB5 C1305785 441BF9 quit username sssss password xxxxxxxxxxxx username ttttt password zzzzzzzzzzzz ! ! crypto keyring spokes pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123 ! crypto isakmp policy 10 encr 3des authentication pre-share group 2 ! crypto isakmp client configuration group testgroup key cisco321 dns 192.168.5.5 wins 192.168.5.5 domain local.equus.co.nz pool ippool crypto isakmp profile L2L description LAN-to-LAN for spoke router(s) connection keyring spokes match identity address 0.0.0.0 crypto isakmp profile VPNclient description VPN clients profile match identity group testgroup client authentication list clientauth isakmp authorization list groupauthor client configuration address respond ! ! crypto ipsec transform-set myset esp-3des esp-sha-hmac ! ! crypto dynamic-map dynmap 5 set transform-set myset set isakmp-profile VPNclient reverse-route crypto dynamic-map dynmap 10 set transform-set myset set isakmp-profile L2L ! ! ! ! ! ! ! crypto map mymap 10 ipsec-isakmp dynamic dynmap ! ! ! interface FastEthernet0 ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! interface FastEthernet4 description (Connected to Internet) ip address xxx.yy.228.55 255.255.255.0 ip access-group InternetInbound in ip nat outside ip virtual-reassembly no ip route-cache cef no ip route-cache no ip mroute-cache speed 100 full-duplex no cdp enable crypto map mymap ! interface Vlan1 description (HQ LAN) ip address 192.168.5.254 255.255.255.0 ip access-group 102 in ip nat inside ip virtual-reassembly ip tcp adjust-mss 1452 ! interface Dialer0 no ip address no cdp enable ! ip local pool ippool 192.168.2.1 192.168.2.254 ip classless no ip forward-protocol udp netbios-ns no ip forward-protocol udp netbios-dgm ip route 0.0.0.0 0.0.0.0 xxx.yy.228.1 ! no ip http server no ip http secure-server ip nat inside source list Internet interface FastEthernet4 overload ip nat inside source route-map nonat interface FastEthernet4 overload ip nat inside source static tcp 192.168.5.5 110 interface FastEthernet4 110 ip nat inside source static tcp 192.168.5.254 1701 interface FastEthernet4 1701 ip nat inside source static udp 192.168.5.254 1701 interface FastEthernet4 1701 ip nat inside source static udp 192.168.5.254 500 interface FastEthernet4 500 ip nat inside source static tcp 192.168.5.5 1723 interface FastEthernet4 1723 ip nat inside source static tcp 192.168.5.5 3389 interface FastEthernet4 3389 ip nat inside source static tcp 192.168.5.5 4125 interface FastEthernet4 4125 ip nat inside source static tcp 192.168.5.5 444 interface FastEthernet4 444 ip nat inside source static tcp 192.168.5.5 443 interface FastEthernet4 443 ip nat inside source static tcp 192.168.5.5 25 interface FastEthernet4 25 ip nat inside source static tcp 192.168.5.254 22 interface FastEthernet4 22 ! ip access-list extended Internet deny ip 192.168.5.0 0.0.0.255 192.168.10.0 0.0.0.255 permit ip 192.168.5.0 0.0.0.255 any ip access-list extended InternetInbound permit ip 192.168.10.0 0.0.0.255 192.168.5.0 0.0.0.255 permit ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255 permit udp a.b.c.d 0.0.0.255 eq domain host xxx.yy.228.55 permit udp any any eq isakmp permit udp any any eq non500-isakmp permit gre any any permit esp any any permit icmp any any echo permit icmp any any echo-reply permit icmp any any ttl-exceeded permit icmp any any packet-too-big permit tcp any eq smtp host xxx.yy.228.55 permit tcp any eq pop3 host xxx.yy.228.55 permit tcp any eq www host xxx.yy.228.55 permit tcp any eq 443 host xxx.yy.228.55 permit tcp any eq 444 host xxx.yy.228.55 permit tcp any eq 3389 host xxx.yy.228.55 permit tcp any eq 4125 host xxx.yy.228.55 permit tcp any host xxx.yy.228.55 eq 443 permit tcp any host xxx.yy.228.55 eq smtp permit tcp any host xxx.yy.228.55 eq 444 permit tcp any host xxx.yy.228.55 eq pop3 permit tcp any host xxx.yy.228.55 eq 1723 permit tcp any host xxx.yy.228.55 eq 3389 permit tcp any host xxx.yy.228.55 eq 4125 deny ip any any log ! access-list 1 remark The local LAN. access-list 1 permit 192.168.5.0 0.0.0.255 access-list 3 remark Traffic not to check for intrustion detection. access-list 3 deny 192.168.10.0 0.0.0.255 access-list 3 deny 192.168.2.0 0.0.0.255 access-list 3 permit any access-list 102 remark Traffic allowed to enter the router from the Ethernet access-list 102 permit ip any host 192.168.5.254 access-list 102 permit tcp any host 192.168.5.254 eq 22 access-list 102 permit ip 192.168.5.0 0.0.0.255 192.168.10.0 0.0.0.255 access-list 102 permit ip 192.168.5.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 102 permit ip 192.168.5.0 0.0.0.255 any access-list 102 permit ip any host 255.255.255.255 access-list 102 deny ip any any log access-list 105 remark Traffic to NAT access-list 105 deny ip 192.168.5.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 105 deny ip 192.168.5.0 0.0.0.255 192.168.10.0 0.0.0.255 access-list 105 permit ip 192.168.5.0 0.0.0.255 any access-list 106 remark User to Site VPN Clients access-list 106 permit ip 192.168.5.0 0.0.0.255 any access-list 110 remark Site to Site VPN access-list 110 permit ip 192.168.5.0 0.0.0.255 192.168.10.0 0.0.0.255 access-list 110 deny ip 192.168.5.0 0.0.0.255 any access-list 120 permit ip 172.22.124.0 0.0.0.255 192.168.0.0 0.0.255.255 access-list 150 permit ip 192.168.5.0 0.0.0.255 any access-list 150 permit ip 192.168.10.0 0.0.0.255 any access-list 180 remark Don't NAT/PAT traffic for VPN access-list 180 deny ip 192.168.5.0 0.0.0.255 192.168.10.0 0.0.0.255 access-list 180 permit ip 192.168.5.0 0.0.0.255 any dialer-list 1 protocol ip permit no cdp run route-map nonat permit 10 match ip address 180 ! ! control-plane ! banner motd ^CCCC**** UNAUTHORIZED ACCESS PROHIBITED !****^C ! line con 0 exec-timeout 60 0 logging synchronous no modem enable line aux 0 line vty 0 4 exec-timeout 60 0 logging synchronous transport input telnet ssh ! end