Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco 2620xm and IPSEC passthrough

I followed various documents to setup IPSEC passthrought on a 2620xm router

Could one of you experts check my config and let me know if i have it right?

thank you

version 12.4
parser config cache interface
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec show-timezone
service password-encryption
service sequence-numbers
!
hostname stinger
!
boot-start-marker
boot-end-marker
!
logging count
logging buffered 10000 debugging
logging rate-limit 10000
logging console informational
logging monitor informational
enable secret 5 xxxxx
enable password 7 xxxxxx
!
aaa new-model
!
!
aaa authentication login local_auth local
!
aaa session-id common
!
memory-size iomem 10
clock timezone CST -6
clock summer-time CDT recurring
no network-clock-participate slot 1
no network-clock-participate wic 0
no ip source-route
no ip gratuitous-arps
ip cef
!
!
!
!
no ip bootp server
ip domain name xxxxxxx
ip name-server 192.168.0.1
ip name-server 192.168.0.10
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW isakmp
ip inspect name SDM_LOW ipsec-msft
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-3030517303
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3030517303
revocation-check none
rsakeypair TP-self-signed-3030517303
!
!
username xxxxxxx privilege 15 view root secret 5 xxxxxx
!
ip tcp synwait-time 10
ip ssh authentication-retries 5
ip ssh logging events
ip ssh version 2
ip rcmd rcp-enable
ip rcmd remote-host sdmR84979c1a 192.168.0.15 L84979c1a enable
ip rcmd remote-username sdmR84979c1a
!
!
buffers tune automatic
!
!
!
interface FastEthernet0/0
description {SCORPNET)$ETH-LAN$$FW_INSIDE$
mac-address 000f.23c4.6e80
ip address 192.168.0.50 255.255.255.0
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
interface Serial0/0
no ip address
shutdown
no fair-queue
!
interface ATM0/1
no ip address
shutdown
atm restart timer 300
no atm ilmi-keepalive
dsl operating-mode auto
!
interface FastEthernet1/0
description (ATT Uverse)$ETH-WAN$$FW_OUTSIDE$
mac-address 000f.23c4.6e90
ip address 107.219.166.17 255.255.255.248
ip access-group 102 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip inspect SDM_LOW IN
ip inspect SDM_LOW out
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no cdp enable
no mop enabled
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 107.219.166.22 permanent
!
!
ip http server
ip http access-class 2
ip http secure-server
ip nat inside source list 1 interface FastEthernet1/0 overload
ip nat inside source static tcp 192.168.0.1 20 107.219.166.17 20 extendable
ip nat inside source static tcp 192.168.0.1 21 107.219.166.17 21 extendable
ip nat inside source static tcp 192.168.0.10 25 107.219.166.17 25 extendable
ip nat inside source static tcp 192.168.0.1 80 107.219.166.17 80 extendable
ip nat inside source static udp 192.168.0.11 88 107.219.166.17 88 extendable
ip nat inside source static udp 192.168.0.1 500 107.219.166.17 500 extendable
ip nat inside source static tcp 192.168.0.1 990 107.219.166.17 990 extendable
ip nat inside source static tcp 192.168.0.1 1701 107.219.166.17 1701 extendable
ip nat inside source static udp 192.168.0.1 1701 107.219.166.17 1701 extendable
ip nat inside source static tcp 192.168.0.11 3074 107.219.166.17 3074 extendable
ip nat inside source static udp 192.168.0.11 3074 107.219.166.17 3074 extendable
ip nat inside source static udp 192.168.0.1 4500 107.219.166.17 4500 extendable
ip nat inside source static udp 192.168.0.1    10000 107.219.166.17 10000 extendable
ip nat inside source static udp 192.168.0.1 17478 107.219.166.17 17478 extendable
ip nat inside source static tcp 192.168.0.1 40000 107.219.166.17 40000 extendable
ip nat inside source static tcp 192.168.0.1 40001 107.219.166.17 40001 extendable
ip nat inside source static tcp 192.168.0.1 40002 107.219.166.17 40002 extendable
ip nat inside source static tcp 192.168.0.1 40003 107.219.166.17 40003 extendable
ip nat inside source static tcp 192.168.0.1 40004 107.219.166.17 40004 extendable
ip nat inside source static tcp 192.168.0.1 40005 107.219.166.17 40005 extendable
ip nat inside source static tcp 192.168.0.1 55368 107.219.166.17 55368 extendable
ip nat inside source static tcp 192.168.0.15 60817 107.219.166.17 60817 extendable
!
logging source-interface FastEthernet0/0
logging 192.168.0.1
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 23 permit 192.168.0.15
access-list 23 permit 192.168.0.1
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 deny   ip 107.219.166.16 0.0.0.7 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 remark DELTA FORCE LAND WORRIOR
access-list 102 permit udp any host 107.219.166.17 eq 17478
access-list 102 remark XBOX
access-list 102 permit udp any host 107.219.166.17 eq 88
access-list 102 permit udp any host 107.219.166.17 eq 3074
access-list 102 permit tcp any host 107.219.166.17 eq 3074
access-list 102 remark WWW
access-list 102 permit tcp any host 107.219.166.17 eq www
access-list 102 permit tcp any host 107.219.166.17 eq 443
access-list 102 remark SMTP
access-list 102 permit tcp any host 107.219.166.17 eq smtp
access-list 102 remark FTP
access-list 102 permit tcp any host 107.219.166.17 eq ftp
access-list 102 permit tcp any host 107.219.166.17 eq ftp-data
access-list 102 permit tcp any host 107.219.166.17 eq ftp-data established
access-list 102 permit tcp any host 107.219.166.17 range 40000 40005
access-list 102 permit tcp any host 107.219.166.17 eq 990
access-list 102 remark uTORRENT
access-list 102 permit tcp any host 107.219.166.17 eq 60817
access-list 102 permit tcp any host 107.219.166.17 eq 55368
access-list 102 remark DNS
access-list 102 permit udp host 192.168.0.1 eq domain host 107.219.166.17
access-list 102 permit udp host 192.168.0.10 eq domain host 107.219.166.17
access-list 102 deny   ip 192.168.0.0 0.0.0.255 any
access-list 102 remark VPN/IPSEC
access-list 102 permit tcp any host 107.219.166.17 eq 1701
access-list 102 permit udp any host 107.219.166.17 eq 1701
access-list 102 permit udp any host 107.219.166.17 eq 500
access-list 102 permit udp any host 107.219.166.17 eq 4500
access-list 102 permit udp any host 107.219.166.17 eq 10000
access-list 102 permit udp any host 107.219.166.17 eq isakmp
access-list 102 permit udp any host 107.219.166.17 eq non500-isakmp
access-list 102 remark ICMP
access-list 102 permit icmp any host 107.219.166.17 echo-reply
access-list 102 permit icmp any host 107.219.166.17 time-exceeded
access-list 102 permit icmp any host 107.219.166.17 unreachable
access-list 102 deny   ip 10.0.0.0 0.255.255.255 any
access-list 102 deny   ip 172.16.0.0 0.15.255.255 any
access-list 102 deny   ip 192.168.0.0 0.0.255.255 any
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
access-list 102 deny   ip host 255.255.255.255 any
access-list 102 deny   ip host 0.0.0.0 any
access-list 102 deny   ip any any log
snmp-server community xxxxx
snmp-server chassis-id xxxxx
snmp-server host 192.168.0.15 version 2c xxxxx
no cdp run
!
!
!
control-plane
!
!
!
!
!
!
!
!
line con 0
exec-timeout 5 0
login authentication local_auth
transport preferred none
transport output telnet
speed 115200
line aux 0
login authentication local_auth
no exec
transport output telnet
line vty 0 4
access-class 22 in
exec-timeout 20 0
privilege level 15
password 7 xxxxx
login authentication local_auth
transport preferred none
transport input ssh
!
scheduler allocate 4000 1000
ntp logging
ntp clock-period 17181221
ntp server 192.168.0.1 prefer
!
end

106
Views
0
Helpful
0
Replies