aaa new-model aaa authentication login default local aaa authentication login Local_Authentication local aaa authorization exec default local aaa authorization network default local aaa authorization network sdm_vpn_group_ml_1 local aaa authorization network sdm_vpn_group_ml_2 local aaa session-id common ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 ! crypto isakmp client configuration group Employee key dns 10.10.10.150 4.2.2.2 wins 10.10.10.150 pool SDM_POOL_1 include-local-lan max-users 25 netmask 255.255.255.0 ! crypto isakmp profile sdm-ike-profile-2 match identity group Employee client authentication list default isakmp authorization list default client configuration address respond virtual-template 2 ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac ! crypto ipsec profile SDM_Profile2 set transform-set ESP-3DES-SHA1 set isakmp-profile sdm-ike-profile-2 ! crypto ctcp port 10000 ! class-map type inspect match-any sdm-cls-insp-traffic match protocol cuseeme match protocol dns match protocol ftp match protocol h323 match protocol https match protocol icmp match protocol imap match protocol pop3 match protocol netshow match protocol shell match protocol realmedia match protocol rtsp match protocol smtp extended match protocol sql-net match protocol streamworks match protocol tftp match protocol vdolive match protocol tcp match protocol udp match protocol isakmp class-map type inspect match-all sdm-insp-traffic match class-map sdm-cls-insp-traffic class-map type inspect match-any SDM-Voice-permit match protocol h323 match protocol skinny match protocol sip class-map type inspect match-any SDM-Voice match protocol h323 class-map type inspect match-any sdm-cls-icmp-access match protocol icmp match protocol tcp match protocol udp class-map match-any AutoQoS-VoIP-RTP-Trust match ip dscp ef class-map match-any AutoQoS-VoIP-Control-Trust match ip dscp cs3 match ip dscp af31 class-map type inspect match-any udp match protocol isakmp class-map type inspect match-any tcp match protocol ssh class-map type inspect match-all sdm-icmp-access match class-map sdm-cls-icmp-access class-map type inspect match-all sdm-invalid-src match access-group 100 class-map type inspect match-all sdm-protocol-http match protocol http ! ! policy-map type inspect sdm-permit-icmpreply class type inspect sdm-icmp-access inspect class type inspect SDM-Voice inspect class class-default pass policy-map type inspect sdm-inspect class type inspect sdm-invalid-src drop log class type inspect sdm-insp-traffic inspect class type inspect sdm-protocol-http inspect class type inspect SDM-Voice-permit inspect class class-default pass policy-map type inspect sdm-permit class type inspect udp pass class type inspect tcp pass class type inspect SDM-Voice inspect class class-default drop log ! zone security out-zone zone security in-zone zone-pair security sdm-zp-self-out source self destination out-zone service-policy type inspect sdm-permit-icmpreply zone-pair security sdm-zp-out-self source out-zone destination self service-policy type inspect sdm-permit zone-pair security sdm-zp-in-out source in-zone destination out-zone service-policy type inspect sdm-inspect ! interface FastEthernet0/0 no ip address duplex auto speed auto ! interface FastEthernet0/0.1 description LAN - Uplink to 3550-A$FW_INSIDE$ encapsulation dot1Q 1 native ip address 10.10.10.2 255.255.255.0 ip nat inside ip virtual-reassembly zone-member security in-zone h323-gateway voip interface h323-gateway voip bind srcaddr 10.10.10.2 ! interface FastEthernet0/1 description WAN$FW_OUTSIDE$ ip address 24.24.24.24 255.255.255.192 no ip redirects no ip unreachables ip nat outside ip virtual-reassembly zone-member security out-zone duplex auto speed auto no keepalive no cdp enable ! interface Virtual-Template2 type tunnel ip unnumbered FastEthernet0/0.1 tunnel mode ipsec ipv4 tunnel protection ipsec profile SDM_Profile2 ! ip local pool SDM_POOL_1 10.10.10.75 10.10.10.100 ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 24.24.24.24 ip http server ip http authentication local ip http secure-server ! ! ip dns server ip nat pool Outside 24.24.24.24 24.24.24.24 netmask 255.255.255.192 ip nat inside source list 3 interface FastEthernet0/1 overload ! access-list 1 permit 10.10.10.0 0.0.0.255 access-list 1 permit 192.168.100.0 0.0.0.255 access-list 2 remark SDM_ACL Category=2 access-list 2 permit 192.168.100.0 0.0.0.255 access-list 2 permit 10.10.10.0 0.0.0.255 access-list 3 remark SDM_ACL Category=2 access-list 3 permit 192.168.100.0 0.0.0.255 access-list 3 permit 10.10.10.0 0.0.0.255 access-list 100 remark SDM_ACL Category=128 access-list 100 permit ip host 255.255.255.255 any access-list 100 permit ip 127.0.0.0 0.255.255.255 any access-list 100 permit ip 24.24.24.24 0.0.0.63 any