With a 2911 on connected to the net and an S2S VPN going out the public interface, whats the best method to lock down the router from the public interface still but not interfering with the vpn tunnel?
duplex autoip ssh source-interface Virtual-Template1 ! ! crypto isakmp policy 10 encr 3des authentication pre-share group 2 crypto isakmp key XXXXXXXXX address 22.214.171.124 no-xauth ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac mode tunnel ! ! ! crypto map outside_map 10 ipsec-isakmp set peer 3xx.3xx.3xx.xx3 set transform-set ESP-3DES-SHA match address 150 ! ! ! ! ! interface Embedded-Service-Engine0/0 no ip address shutdown ! interface GigabitEthernet0/0 description Public ip address 3xx.3xx.3xx.xx3 255.255.255.192 ip nat outside ip virtual-reassembly in duplex auto speed auto crypto map outside_map ! interface GigabitEthernet0/1 description Subinterfaces for local vlans no ip address ip nat inside ip virtual-reassembly in duplex auto
access-list 150 permit ip 192.168.202.0 0.0.0.255 any
This document gives several answers on frequently asked questions for PFRv3 channel state behavior.
Q1: What are all the channel operational states from a BR (border role) perspective and what are the rules/conditions to be in each st...
The need was to reach an host inside a LAN through a VPN connection managed by the LAN gateway (Cisco 1921).
The LAN gateway performs NAT and there was a dedicate nat rule for the host i wanted to reach through VPN.
I couldn't connect to the hos...