Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Please HELP

Hi,

I am trying to get a VPN tunnel up and going between and 871 and a PIX. I have all of the interesting traffic defined and the sets defined as well.

crypto isakmp policy 30

encr 3des

authentication pre-share

group 2

crypto isakmp key 1234 address 0.0.0.0 0.0.0.0

!

!

crypto ipsec transform-set MANNY esp-3des

mode transport

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

mode transport

!

crypto ipsec profile SDM_Profile1

set transform-set ESP-3DES-SHA

!

!

crypto map Manchester 30 ipsec-isakmp

set peer 63.x.x.x

set security-association lifetime kilobytes 3600

set security-association lifetime seconds 7200

set transform-set ESP-3DES-SHA

match address VPN_WILL

access-list 1 remark SDM_ACL Category=2

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 10.20.50.0 0.0.0.255

access-list 2 deny any

access-list 2 remark HTTP Access-class list

access-list 2 remark SDM_ACL Category=1

access-list 2 permit 10.20.50.0 0.0.0.255

access-list 2 permit 10.250.250.0 0.0.0.255

access-list 100 permit ip 10.20.0.0 0.0.255.255 172.16.120.0 0.0.0.255

access-list 102 deny ip 10.20.50.0 0.0.0.255 172.16.0.0 0.0.0.255

access-list 102 permit ip 10.20.50.0 0.0.0.255 any

access-list 106 permit udp any host 98.175.98.186 eq isakmp

access-list 106 permit esp any host 98.175.98.186

access-list 106 permit ahp any host 98.175.98.186

access-list 106 permit udp any host 98.175.98.186 eq non500-isakmp

access-list 120 permit ip 10.20.50.0 0.0.0.255 172.16.120.0 0.0.0.255

access-list 130 deny ip 68.239.85.0 0.0.0.255 any

access-list 130 deny ip host 255.255.255.255 any

access-list 130 deny ip 127.0.0.0 0.255.255.255 any

access-list 130 permit ip any any

access-list 150 remark VTY Access-class list

access-list 150 remark SDM_ACL Category=1

access-list 150 permit ip 10.20.50.0 0.0.0.255 any

access-list 150 permit ip 10.0.0.0 0.255.255.255 any

access-list 150 permit ip 10.250.250.0 0.0.0.255 any

access-list 150 deny ip any any

snmp-server community public RO

no cdp run

!

route-map nonat permit 30

match ip address 102 NAT_Exempt

!

Is there another way to init traffic without the Tunnel0 ? Maybe a dialer

1 REPLY
New Member

Re: Please HELP

BTW, the config above no to include the access-class to deny statement.

118
Views
0
Helpful
1
Replies