class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
|
match access-group 104
|
class-map type inspect match-any SDM_AH
|
match access-group name SDM_AH
|
class-map type inspect match-any ccp-skinny-inspect
|
match protocol skinny
|
class-map type inspect match-any ccp-h323nxg-inspect
|
match protocol h323-nxg
|
class-map type inspect match-any ccp-cls-icmp-access
|
match protocol icmp
|
match protocol tcp
|
match protocol udp
|
class-map type inspect match-any ccp-h225ras-inspect
|
match protocol h225ras
|
class-map type inspect match-any SDM_ESP
|
match access-group name SDM_ESP
|
class-map type inspect match-any ccp-h323annexe-inspect
|
match protocol h323-annexe
|
class-map type inspect match-any ccp-cls-insp-traffic
|
match protocol dns
|
match protocol ftp
|
match protocol https
|
match protocol icmp
|
match protocol imap
|
match protocol pop3
|
match protocol netshow
|
match protocol shell
|
match protocol realmedia
|
match protocol rtsp
|
match protocol smtp
|
match protocol sql-net
|
match protocol streamworks
|
match protocol tftp
|
match protocol vdolive
|
match protocol tcp
|
match protocol udp
|
class-map type inspect match-any PING_ACCESS
|
match access-group name PING_ACCESS
|
class-map type inspect match-any SDM_SSH
|
match access-group name SDM_SSH
|
class-map type inspect match-any SDM_HTTPS
|
match access-group name SDM_HTTPS
|
class-map type inspect match-any SDM_SHELL
|
match access-group name SDM_SHELL
|
class-map type inspect match-any SNMP_ACCESS
|
match access-group name SNMP_ACCESS
|
class-map type inspect match-any ccp-h323-inspect
|
match protocol h323
|
class-map type inspect match-all ccp-invalid-src
|
match access-group 100
|
class-map type inspect match-any ccp-sip-inspect
|
match protocol sip
|
class-map type inspect match-all ccp-protocol-http
|
match protocol http
|
class-map type inspect match-any sdm-cls-access
|
match class-map SDM_HTTPS
|
match class-map SDM_SSH
|
match class-map SDM_SHELL
|
match class-map SNMP_ACCESS
|
match class-map PING_ACCESS
|
class-map type inspect match-all ccp-insp-traffic
|
match class-map ccp-cls-insp-traffic
|
class-map type inspect match-any SDM_VPN_TRAFFIC
|
match protocol isakmp
|
match protocol ipsec-msft
|
match class-map SDM_AH
|
match class-map SDM_ESP
|
class-map type inspect match-all ccp-icmp-access
|
match class-map ccp-cls-icmp-access
|
class-map type inspect match-all SDM_VPN_PT
|
match access-group 103
|
match class-map SDM_VPN_TRAFFIC
|
class-map type inspect match-all sdm-access
|
match class-map sdm-cls-access
|
match access-group 102
|
!
|
policy-map type inspect sdm-pol-VPNOutsideToInside-1
|
class type inspect sdm-cls-VPNOutsideToInside-1
|
inspect
|
class class-default
|
drop
|
policy-map type inspect ccp-inspect
|
class type inspect ccp-invalid-src
|
drop log
|
class type inspect ccp-protocol-http
|
inspect
|
class type inspect ccp-insp-traffic
|
inspect
|
class type inspect ccp-sip-inspect
|
inspect
|
class type inspect ccp-h323-inspect
|
inspect
|
class type inspect ccp-h323annexe-inspect
|
inspect
|
class type inspect ccp-h225ras-inspect
|
inspect
|
class type inspect ccp-h323nxg-inspect
|
inspect
|
class type inspect ccp-skinny-inspect
|
inspect
|
class class-default
|
drop
|
policy-map type inspect ccp-permit
|
class type inspect SDM_VPN_PT
|
pass
|
class type inspect sdm-access
|
inspect
|
class class-default
|
drop
|
policy-map type inspect ccp-permit-icmpreply
|
class type inspect ccp-icmp-access
|
inspect
|
class class-default
|
pass
|
!
|
zone security in-zone
|
zone security out-zone
|
zone-pair security ccp-zp-out-self source out-zone destination self
|
service-policy type inspect ccp-permit
|
zone-pair security ccp-zp-in-out source in-zone destination out-zone
|
service-policy type inspect ccp-inspect
|
zone-pair security ccp-zp-self-out source self destination out-zone
|
service-policy type inspect ccp-permit-icmpreply
|
zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone
|
service-policy type inspect sdm-pol-VPNOutsideToInside-1
|
!
|
!
|
crypto isakmp policy 15
|
encr 3des
|
authentication pre-share
|
group 2
|
lifetime 28800
|
crypto isakmp key m0n5t3r address ***.***.***.***
|
!
|
!
|
crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac
|
mode tunnel
|
!
|
!
|
!
|
crypto map ipsec-TEST 10 ipsec-isakmp
|
set peer ***.***.***.***
|
set transform-set aes-sha
|
set pfs group2
|
match address 101
|
