Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1482
Views
0
Helpful
6
Replies

IPSec L2L VPN on top of IOS zone based firewall

m1xed0s
Spotlight
Spotlight

‎05-17-2012 06:27 PM - edited ‎02-21-2020 06:04 PM

Hey, there

Just spend around 5 hours this afternoon with Cisco TAC on an IPSec VPN issue between two 1921 routers with IOS 15.1, the issue was kinda solved but I still have some confusing points and I would to share here and collect some opinion. Here is a highlevel synopses:

Router A in headend is hosting 9 VPN tunnels to remote sites. This morning I got call that Router B for one of the remote sites failed to build tunnel back to headend while all other 8 sites are running proper tunnels. Router A shows receiving isakmp initiate traffic from Router B and tries to reply to negotiate the tunnel. Router B never receives a thing and just keep sending. I know reboot router A should fix the issue as this happend to other sites before but i need to get this fixed completely this time. This is not windows that reboots frequently.

I did intial trouble shooting and log shows the UDP 500 traffic is dropped by Router A and this explains why the tunnel is not up. But one thing I can not find answer is: why this did not happen yesterday or last week... The second guy (the first one was just bad experience) from TAC suggested me to remove policy-maps under out-self and self-out security zones. I doubt that initially as I afraid to lose management connection to the devices. But we did remove those as we kinda run into dead end. Removing the policy-maps did bring up the tunnel(confused again). TAC then tried to re-configure the policy-maps with different rules as he thought my rules were in-correct. But once he put his correct policy-maps back, tunnel between 2 routers wont be up.

I went back to check the whole configure file on router A and I started quentioning why did I put a long list of ACLs on external interface to filter incoming traffic and meantime configure different policy-maps for out-self and self-out zone-pairs? I asked TAC if the ACL on interface and policy-map under zone-pairs wont work well if configured at the same time. He kinda said yes and he also suggested me to upgrade IOS to the latest 15.2.

So any of you have experience with this kinda setup or issues?

Thanks,

Shuai

Labels:
0 Helpful
6 Replies 6

Henrik Grankvist
Level 4
Level 4

‎05-18-2012 05:36 AM

Hi

I 've never had any issues with VPN's combined with ZFW, unless it has been an error in the config. But if you wan't I can look through the config.

0 Helpful

m1xed0s
Spotlight
Spotlight
In response to Henrik Grankvist

‎05-18-2012 06:31 AM

Which version of IOS u r using?

Here attached is the configure file. There are a lot of duplicate ACLs thanks  to CCP. I am going to upgrade the router and re-do the configure from scratch. But if you guys can spot any stupid mistake, please share.

*************************************************************************************************************
Building configuration...

Current configuration : 71851 bytes
!
! Last configuration change at 16:01:49 ADT Thu May 3 2012 by shuai.yu

version 15.1
service timestamps debug datetime msec
service timestamps log datetime localtime
no service password-encryption
!
hostname abc
!
boot-start-marker
boot system flash:c1900-universalk9-mz.SPA.151-4.M3.bin
boot-end-marker
!
!
no logging console
enable secret 5 $1$1NzR$Ulg6lHU2Bz5SMtQQo3eDE1
enable password enable2
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
!
clock timezone AST -4 0
clock summer-time ADT recurring 3 Sun Mar 2:00 2 Sun Nov 2:00
!
no ipv6 cef
ip source-route
ip cef
!
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.9
ip dhcp excluded-address 192.168.1.111 192.168.1.254
!
ip dhcp pool dhcppool
import all
network 192.168.1.0 255.255.255.0
domain-name abc.local
dns-server 192.168.10.200 192.168.10.202
default-router 192.168.1.150
netbios-name-server 192.168.10.200
option 202 ip 192.168.1.218
lease 8
!
!
ip name-server 8.8.8.8
ip name-server 4.2.2.2
ip port-map user-protocol--2 port tcp 3389
ip port-map user-protocol--1 port tcp 5080
!
multilink bundle-name authenticated
!
parameter-map type inspect global
log dropped-packets enable

parameter-map type urlfpolicy trend cprepdenyregex0
allow-mode on
block-page message "Blocked by Security rules"

parameter-map type urlfpolicy trend cptrendparacatdeny1
allow-mode on
block-page message "The website you have accessed is blocked as per corporate policy"

parameter-map type urlfpolicy trend cptrendparacatdeny2
allow-mode on
block-page message "The website you have accessed is blocked as per corporate policy"
parameter-map type urlf-glob cpaddbnwlocparadeny0
pattern www.facebook.com
pattern www.radiofreecolorado.net
pattern facebook.com
pattern worldofwarcraft.com
pattern identityunknown.net
pattern static.break.com
pattern lyris01.media.com
pattern www.saltofreight.com
pattern reality-check.com
pattern reality-check.ca

parameter-map type urlf-glob cpaddbnwlocparapermit1
pattern toronto.bluejays.mlb.com
pattern www.alc.ca
pattern www.espn.com
pattern www.bestcarriers.com
pattern www.gulfpacificseafood.com
pattern www.lafermeblackriver.ca
pattern 69.156.240.29
pattern www.tyson.com
pattern www.citybrewery.com
pattern www.canadianbusinessdirectory.ca
pattern www.homedepot.ca
pattern ai.fmcsa.dot.gov
pattern www.mtq.gouv.qc.ca
pattern licenseinfo.oregon.gov
pattern www.summitfoods.com
pattern www.marine-atlantic.ca
pattern www.larway.com
pattern www.rtlmotor.ca
pattern *.kijiji.ca
pattern *.linkedin.com
pattern www.youtube.com
pattern *.abc.com
pattern *.google.ca
pattern *.gstatic.com

parameter-map type urlf-glob cplocclassurlfgloburlallow1
pattern www.alc.ca

parameter-map type urlf-glob cplocclassurlfglobkdblock1
pattern facebook.com

parameter-map type urlf-glob cplocclassurlfgloburlblock1
pattern www.facebook.com


parameter-map type ooo global
tcp reassembly queue length 128

parameter-map type trend-global global-param-map
cache-size maximum-memory 5000
crypto pki token default removal timeout 0
!
crypto pki trustpoint Equifax_Secure_CA
revocation-check none
!
crypto pki trustpoint NetworkSolutions_CA
revocation-check none
!
crypto pki trustpoint trps1_server
revocation-check none
!
crypto pki trustpoint TP-self-signed-1923775371
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1923775371
revocation-check none
!
!
crypto pki certificate chain Equifax_Secure_CA
certificate ca 35DEF4CF
  30820320 30820289 A0030201 02020435 DEF4CF30 0D06092A 864886F7 0D010105
  0500304E 310B3009 06035504 06130255 53311030 0E060355 040A1307 45717569
  66617831 2D302B06 0355040B 13244571 75696661 78205365 63757265 20436572
  74696669 63617465 20417574 686F7269 7479301E 170D3938 30383232 31363431
  35315A17 0D313830 38323231 36343135 315A304E 310B3009 06035504 06130255
  53311030 0E060355 040A1307 45717569 66617831 2D302B06 0355040B 13244571
  75696661 78205365 63757265 20436572 74696669 63617465 20417574 686F7269
  74793081 9F300D06 092A8648 86F70D01 01010500 03818D00 30818902 818100C1
  5DB15867 0862EEA0 9A2D1F08 6D911468 980A1EFE DA046F13 846221C3 D17CCE9F
  05E0B801 F04E34EC E28A9504 64ACF16B 535F05B3 CB6780BF 42028EFE DD0109EC
  E100144F FCFBF00C DD43BA5B 2BE11F80 70991557 9316F10F 976AB7C2 68231CCC
  4D5930AC 511E3BAF 2BD6EE63 457BC5D9 5F50D2E3 500F3A88 E7BF14FD E0C7B902
  03010001 A3820109 30820105 30700603 551D1F04 69306730 65A063A0 61A45F30
  5D310B30 09060355 04061302 55533110 300E0603 55040A13 07457175 69666178
  312D302B 06035504 0B132445 71756966 61782053 65637572 65204365 72746966
  69636174 65204175 74686F72 69747931 0D300B06 03550403 13044352 4C31301A
  0603551D 10041330 11810F32 30313830 38323231 36343135 315A300B 0603551D
  0F040403 02010630 1F060355 1D230418 30168014 48E668F9 2BD2B295 D747D823
  20104F33 98909FD4 301D0603 551D0E04 16041448 E668F92B D2B295D7 47D82320
  104F3398 909FD430 0C060355 1D130405 30030101 FF301A06 092A8648 86F67D07
  4100040D 300B1B05 56332E30 63030206 C0300D06 092A8648 86F70D01 01050500
  03818100 58CE29EA FCF7DEB5 CE02B917 B585D1B9 E3E095CC 25310D00 A6926E7F
  B692639E 5095D19A 6FE411DE 63856E98 EEA8FF5A C8D355B2 667157DE C021EB3D
  2AA72349 01048642 7BFCEE7F A21652B5 6767D340 DB3B2658 B228773D AE147761
  D6FA2A66 27A00DFA A7735CEA 70F19421 65445FFA FCEF2968 A9A28779 EF79EF4F AC077738
   quit
crypto pki certificate chain NetworkSolutions_CA
certificate ca 10E776E8A65A6E377E050306D43C25EA
  308204A6 3082038E A0030201 02021010 E776E8A6 5A6E377E 050306D4 3C25EA30
  0D06092A 864886F7 0D010105 05003081 97310B30 09060355 04061302 5553310B
  30090603 55040813 02555431 17301506 03550407 130E5361 6C74204C 616B6520
  43697479 311E301C 06035504 0A131554 68652055 53455254 52555354 204E6574
  776F726B 3121301F 06035504 0B131868 7474703A 2F2F7777 772E7573 65727472
  7573742E 636F6D31 1F301D06 03550403 13165554 4E2D5553 45524669 7273742D
  48617264 77617265 301E170D 30363034 31303030 30303030 5A170D32 30303533
  30313034 3833385A 3062310B 30090603 55040613 02555331 21301F06 0355040A
  13184E65 74776F72 6B20536F 6C757469 6F6E7320 4C2E4C2E 432E3130 302E0603
  55040313 274E6574 776F726B 20536F6C 7574696F 6E732043 65727469 66696361
  74652041 7574686F 72697479 30820122 300D0609 2A864886 F70D0101 01050003
  82010F00 3082010A 02820101 00C3DD36 CC83C318 55B096D9 1325D326 864838BB
  167FF19F 29F6FD03 F1ED4D26 9A56F0B5 1A1ACDE6 CC855540 A4B5D00D CA22EF3D
  23C67E6C CCBCA1E9 7C5046E0 BD14AD65 12C20B11 69520A07 921F736F C1BAD762
  F0CE002E 34A5C8E6 2F0FEC0D EA446175 68E5E4DC 80364FDA 785D5325 9494F54F
  2E3A606F 0CA6D9B3 F62A2E03 12D52642 0751B264 5771DC21 1C89C769 A3E6FBC2
  7B6EEF0C 87FB5064 E84E4BEF E7719B83 6361C932 8D8CEC14 A7E489AD 3F2B2664
  E48542F2 8950E13A BE15E345 25E25ACB 8C3FE033 1E35095A 84EA7E5D A1F59180
  0A2806B7 CB314125 618B01E9 56A2F63E 5F2FF3C4 43F61994 75834CA1 82423AC6
  BAC40930 A6E17502 51B95E64 8B020301 0001A382 01203082 011C301F 0603551D
  23041830 168014A1 725F261B 28984395 5D0737D5 85969D4B D2C34530 1D060355
  1D0E0416 04143C41 E28F0808 A94C2589 8D6DC538 D0FC858C 6217300E 0603551D
  0F0101FF 04040302 01063012 0603551D 130101FF 04083006 0101FF02 01003019
  0603551D 20041230 10300E06 0C2B0601 0401860E 01020103 01304406 03551D1F
  043D303B 3039A037 A0358633 68747470 3A2F2F63 726C2E75 73657274 72757374
  2E636F6D 2F55544E 2D555345 52466972 73742D48 61726477 6172652E 63726C30
  5506082B 06010505 07010104 49304730 4506082B 06010505 07300286 39687474
  703A2F2F 7777772E 75736572 74727573 742E636F 6D2F6361 63657274 732F5554
  4E416464 54727573 74536572 7665725F 43412E63 7274300D 06092A86 4886F70D
  01010505 00038201 010068AB FCEF806B 18B2B0B3 A34589CB 53C5A2E6 AF08A9FD
  FF0F49AC FFE49FD7 417CA3C5 A2E8AAE0 57212DC3 AA7C0C4C 280B79F4 EE4C32AD
  790E7EA2 5E34184F DF54F1BD 687CE3D3 D7465E6D 64C2F76D 8882730C EF9985EA
  A9EF324A F0839F73 910CA43E 2B3151A6 628F1584 F9A63A12 303FDA6E F8CCC719
  920F5CF4 FE17F195 0847522C 508FE89B A5EEAE70 33899182 FE30AA76 7659D76C
  18D32B12 5B1D281D 7871F6CD 36A2E907 48443BE7 576E820A ADC58ADD E853B471
  AF13D206 9D376D53 3F8A3508 FAFEA216 E6B96F5C 5639D6C6 AAEF1967 CE13C5B8
  9505FB0A 44C99FA9 40254B32 11AF07FE 08D54271 E9E1538B 151FDD2A 07957024
  6F645ED3 B7902E8B 21D8
   quit
crypto pki certificate chain trps1_server
certificate ca 00
  3082029F 30820208 02010030 0D06092A 864886F7 0D010104 05003081 97310B30
  09060355 04061302 55533111 300F0603 55040813 08436F6C 6F726164 6F311030
  0E060355 04071307 426F756C 64657231 16301406 0355040A 130D4369 73636F20
  53797374 656D7331 0C300A06 0355040B 13035354 47311D30 1B060355 04031314
  74727073 312D626C 64722E63 6973636F 2E636F6D 311E301C 06092A86 4886F70D
  01090116 0F777473 75694063 6973636F 2E636F6D 301E170D 30363130 32333230
  32363231 5A170D30 39303731 39323032 3632315A 30819731 0B300906 03550406
  13025553 3111300F 06035504 08130843 6F6C6F72 61646F31 10300E06 03550407
  1307426F 756C6465 72311630 14060355 040A130D 43697363 6F205379 7374656D
  73310C30 0A060355 040B1303 53544731 1D301B06 03550403 13147472 7073312D
  626C6472 2E636973 636F2E63 6F6D311E 301C0609 2A864886 F70D0109 01160F77
  74737569 40636973 636F2E63 6F6D3081 9F300D06 092A8648 86F70D01 01010500
  03818D00 30818902 818100BF F80B7E13 19C5AA37 D7433EDC 4EC5CAD8 40BEE950
  7C099395 997043C9 B9C4BCF6 DF97F091 0ECB7D06 F1B336C6 CD134A67 826B0182
  09535A4B 11EB4BE8 B46187CB BBD9FECB CB03AE65 8F2C5E7E 40A66FF2 899E2FF1
  CBC072B2 A9B537C0 84C9F873 8A141ED9 D8D15186 F7047400 BB8A2CA1 C59DEAD8
  DA09FBB3 6E67D8BF F6811102 03010001 300D0609 2A864886 F70D0101 04050003
  818100AC C6185869 1324F6BD 728A8D00 CEDF15E3 14671016 90ED8F7B 5FF72860
  8F9469D2 B344641D 75E4A566 BCB06ACE 21DFC2B3 041A961C 8A23610A 284BC399
  8E632BBA C734D76A 266E6A45 88DC366F C5E12E9E 087AC3AA 7FEE2089 C97821A7
  882BFEC3 26425299 11700277 B9E4EBCD 15A0B388 F8D4A102 E472A398 63E0D7DA 5BFBE1
   quit
crypto pki certificate chain TP-self-signed-1923775371
certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31393233 37373533 3731301E 170D3132 30313237 31303539
  32395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 39323337
  37353337 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100C28C 850C676E EA64070A 3702FD39 FD67E7A0 668EECB2 13B6F869 15F60563
  7929BE4B D48CC39B 0A03FE6C 75D6E7E8 CE5F5803 AC9C8761 F1934A30 6DAA5CF9
  FBCC8225 A5AA45A0 8D682C1E 6DB5CC82 E1D15A58 390A63BA B8E0EC88 1EC5BC4E
  0B7E3B17 2F0E8427 C0174C20 C7C7FB51 12384F41 0828EB73 3D41AAE2 C7AA7692
  46BF0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
  551D2304 18301680 14A46534 3694AB9E F93D9C1B BBDD855A 4C51C6BF 4A301D06
  03551D0E 04160414 A4653436 94AB9EF9 3D9C1BBB DD855A4C 51C6BF4A 300D0609
  2A864886 F70D0101 04050003 818100A2 0F76E1C1 79772F81 66477CB4 C1ADFFAA
  16CABDA5 02A57B1D 16D528EC 3FBDA12A 5FB94FDA CC11B07E 8F3A82F3 E9231053
  B1F89E9C E655704D A4AE2BC8 54E57959 13F22D12 E71EE663 EB2B6E14 C401B955
  4C8E22F9 3BBB5B13 DFB51569 ECD44862 D5DA315F CF5A14DE 39258B39 68DFFFB1
  70A3A293 48BC5411 A46B6D6F 491F6B
   quit
license udi pid CISCO1921/K9 sn FHK143970U5
!
!
redundancy
!
!
!
!
!
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
match access-group 107
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any sdm-cls-access
match class-map SDM_HTTPS
match class-map SDM_SSH
match class-map SDM_SHELL
class-map type inspect match-all sdm-cls-VPNOutsideToInside-3
match access-group 111
class-map type inspect match-all sdm-cls-VPNOutsideToInside-2
match access-group 110
class-map type inspect match-all sdm-cls-VPNOutsideToInside-5
match access-group 116
class-map type inspect match-all sdm-cls-VPNOutsideToInside-4
match access-group 114
class-map type inspect match-all sdm-nat-http-1
match access-group 145
match protocol http
class-map type inspect match-all sdm-nat-user-protocol--2-1
match access-group 145
match protocol user-protocol--2
class-map type inspect match-all sdm-nat-user-protocol--1-2
match access-group 145
match protocol user-protocol--1
class-map type inspect match-all sdm-cls-VPNOutsideToInside-7
match access-group 118
class-map type inspect match-all sdm-nat-user-protocol--1-1
match access-group 124
match protocol user-protocol--1
class-map type inspect match-all sdm-nat-user-protocol--2-2
match access-group 146
match protocol user-protocol--2
class-map type inspect match-any ALLOW_SNMP
match protocol snmp
class-map type inspect match-any SDM_TELNET
match access-group name SDM_TELNET
class-map type inspect match-all sdm-cls-VPNOutsideToInside-6
match access-group 117
class-map type inspect match-all sdm-nat-user-protocol--2-3
match access-group 147
match protocol user-protocol--2
class-map type inspect match-any SDM_HTTP
match access-group name SDM_HTTP
class-map type inspect match-any sdm-mgmt-cls-0
match class-map SDM_TELNET
match class-map SDM_HTTP
match class-map SDM_SHELL
match class-map SDM_SSH
match class-map SDM_HTTPS
class-map type inspect match-all sdm-cls-VPNOutsideToInside-8
match access-group 119
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any CCP_PPTP
match class-map SDM_GRE
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-all ALLOW_ICMP
match protocol icmp
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_VPN_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
match protocol icmp
class-map type inspect match-all SDM_VPN_PT
match access-group 106
match class-map SDM_VPN_TRAFFIC
class-map type inspect match-any ccp-cls-insp-traffic
match protocol pptp
match protocol dns
match protocol ftp
match protocol https
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
match protocol http
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-all ETL_CARDLOCK
match access-group name ETL_CARDLOCK
class-map type urlfilter match-any cpaddbnwlocclassdeny0
match  server-domain urlf-glob cpaddbnwlocparadeny0
class-map type urlfilter match-any cpaddbnwlocclasspermit1
match  server-domain urlf-glob cpaddbnwlocparapermit1
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type urlfilter match-any cplocclassurlblock1
match  server-domain urlf-glob cplocclassurlfgloburlblock1
class-map type urlfilter trend match-any cpcatdenyclass3
match  url category Abortion
match  url category Activist-Groups
match  url category Adult-Mature-Content
match  url category Chat-Instant-Messaging
match  url category Cult-Occult
match  url category Internet-Radio-and-TV
match  url category Marijuana
match  url category Nudity
match  url category Personals-Dating
match  url category Pornography
match  url category Proxy-Avoidance
match  url category Sex-education
match  url category Social-Networking
match  url category Spam
match  url category Tasteless
match  url category Violence-hate-racism
match  url category Sport-hunting-and-gun-clubs
match  url category Games
match  url category Illegal-Drugs
match  url category Illegal-Questionable
match  url category Cultural-Institutions
match  url category Gambling
match  url category Joke-Programs
match  url category Pay-to-surf
match  url category Peer-to-Peer
class-map type inspect match-all sdm-cls-VPNOutsideToInside-10
match access-group 123
class-map type inspect match-all sdm-cls-VPNOutsideToInside-23
match access-group 149
class-map type inspect match-all sdm-cls-VPNOutsideToInside-32
match access-group 160
class-map type inspect match-all sdm-cls-VPNOutsideToInside-11
match access-group 126
class-map type inspect match-all sdm-cls-VPNOutsideToInside-22
match access-group 144
class-map type inspect match-all sdm-cls-VPNOutsideToInside-33
match access-group 161
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-cls-VPNOutsideToInside-12
match access-group 128
class-map type inspect match-all sdm-cls-VPNOutsideToInside-21
match access-group 143
class-map type inspect match-all sdm-cls-VPNOutsideToInside-30
match access-group 158
class-map type inspect match-all sdm-cls-VPNOutsideToInside-13
match access-group 130
class-map type inspect match-all sdm-cls-VPNOutsideToInside-20
match access-group 142
class-map type inspect match-all sdm-cls-VPNOutsideToInside-31
match access-group 159
class-map type inspect match-all sdm-cls-VPNOutsideToInside-14
match access-group 132
class-map type inspect match-all sdm-cls-VPNOutsideToInside-27
match access-group 155
class-map type inspect match-all sdm-cls-VPNOutsideToInside-36
match access-group 164
class-map type inspect match-all sdm-cls-VPNOutsideToInside-41
match access-group 169
class-map type inspect match-all sdm-cls-VPNOutsideToInside-15
match access-group 134
class-map type inspect match-all sdm-cls-VPNOutsideToInside-26
match access-group 154
class-map type inspect match-all sdm-cls-VPNOutsideToInside-37
match access-group 165
class-map type inspect match-all sdm-cls-VPNOutsideToInside-40
match access-group 168
class-map type inspect match-all sdm-cls-VPNOutsideToInside-16
match access-group 136
class-map type inspect match-all sdm-cls-VPNOutsideToInside-25
match access-group 153
class-map type inspect match-all sdm-cls-VPNOutsideToInside-34
match access-group 162
class-map type inspect match-all sdm-cls-VPNOutsideToInside-17
match access-group 138
class-map type inspect match-all sdm-cls-VPNOutsideToInside-24
match access-group 151
class-map type inspect match-all sdm-cls-VPNOutsideToInside-35
match access-group 163
class-map type inspect match-all sdm-cls-VPNOutsideToInside-42
match access-group 171
class-map type inspect match-all sdm-cls-VPNOutsideToInside-18
match access-group 140
class-map type inspect match-all sdm-cls-VPNOutsideToInside-19
match access-group 141
class-map type inspect match-all sdm-cls-VPNOutsideToInside-29
match access-group 157
class-map type inspect match-all sdm-cls-VPNOutsideToInside-38
match access-group 166
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-all sdm-cls-VPNOutsideToInside-28
match access-group 156
class-map type inspect match-all sdm-cls-VPNOutsideToInside-39
match access-group 167
class-map type urlfilter trend match-any cprepdenyclass0
match  url reputation ADWARE
match  url reputation DIALER
match  url reputation DISEASE-VECTOR
match  url reputation HACKING
match  url reputation PASSWORD-CRACKING-APPLICATIONS
match  url reputation PHISHING
match  url reputation POTENTIALLY-MALICIOUS-SOFTWARE
match  url reputation SPYWARE
match  url reputation VIRUS-ACCOMPLICE
class-map type urlfilter match-any cplocclassurlallow1
match  server-domain urlf-glob cplocclassurlfgloburlallow1
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type urlfilter trend match-any cptrendclasscatdeny1
match  url category Chat-Instant-Messaging
match  url category Nudity
match  url category Pornography
match  url category Social-Networking
match  url category Abortion
match  url category Activist-Groups
match  url category Adult-Mature-Content
match  url category Cult-Occult
match  url category Gambling
match  url category Games
match  url category Illegal-Drugs
match  url category Illegal-Questionable
match  url category Internet-Radio-and-TV
match  url category Joke-Programs
match  url category Marijuana
match  url category Pay-to-surf
match  url category Peer-to-Peer
match  url category Personals-Dating
match  url category Sex-education
match  url category Spam
match  url category Tasteless
match  url category Violence-hate-racism
match  url category Cultural-Institutions
match  url category Proxy-Avoidance
match  url category Streaming-media-MP3
class-map type urlfilter trend match-any cptrendclasscatdeny2
match  url category Chat-Instant-Messaging
match  url category Nudity
match  url category Pornography
match  url category Social-Networking
class-map type inspect match-all ALLOW_PING_POLICY
match class-map ALLOW_ICMP
class-map type urlfilter match-any cplocclasskdblock1
match  url-keyword urlf-glob cplocclassurlfglobkdblock1
class-map type inspect match-all sdm-access
match class-map sdm-cls-access
match access-group 103
class-map type urlfilter trend match-any cptrendclassrepdeny1
match  url reputation ADWARE
match  url reputation DIALER
match  url reputation DISEASE-VECTOR
match  url reputation HACKING
match  url reputation PASSWORD-CRACKING-APPLICATIONS
match  url reputation PHISHING
match  url reputation POTENTIALLY-MALICIOUS-SOFTWARE
match  url reputation SPYWARE
match  url reputation VIRUS-ACCOMPLICE
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-invalid-src
match access-group 102
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all sdm-mgmt-cls-ccp-permit-4
match class-map sdm-mgmt-cls-0
match access-group 104
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all sdm-mgmt-cls-ccp-permit-3
match class-map sdm-mgmt-cls-0
match access-group 115
class-map type inspect match-all sdm-mgmt-cls-ccp-permit-2
match class-map sdm-mgmt-cls-0
match access-group 113
class-map type inspect match-all sdm-mgmt-cls-ccp-permit-1
match class-map sdm-mgmt-cls-0
match access-group 112
class-map type inspect match-all sdm-nat-ica-1
match access-group 145
match protocol ica
class-map type inspect match-all sdm-nat-https-1
match access-group 145
match protocol https
class-map type inspect match-all sdm-nat-citriximaclient-1
match access-group 145
match protocol citriximaclient
class-map type inspect match-all ccp-protocol-http
match protocol http
match access-group 108
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
  inspect
class class-default
  pass
policy-map type inspect urlfilter abcspolicy
parameter type urlfpolicy trend cprepdenyregex0
class type urlfilter cpaddbnwlocclasspermit1
  allow
  log
class type urlfilter cpaddbnwlocclassdeny0
  reset
  log
class type urlfilter trend cprepdenyclass0
  reset
  log
class type urlfilter trend cpcatdenyclass3
  reset
  log
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
  drop log
class type inspect ccp-protocol-http
  inspect
  service-policy urlfilter abcspolicy
class type inspect ccp-insp-traffic
  inspect
class type inspect ccp-sip-inspect
  inspect
class type inspect ccp-h323-inspect
  inspect
class type inspect ccp-h323annexe-inspect
  inspect
class type inspect ccp-h225ras-inspect
  inspect
class type inspect ccp-h323nxg-inspect
  inspect
class type inspect ccp-skinny-inspect
  inspect
class type inspect ALLOW_PING_POLICY
  pass
class class-default
  drop
policy-map type inspect ccp-permit
class type inspect SDM_VPN_PT
  pass
class type inspect sdm-access
  inspect
class type inspect sdm-mgmt-cls-ccp-permit-1
  inspect
class type inspect sdm-mgmt-cls-ccp-permit-2
  inspect
class type inspect sdm-mgmt-cls-ccp-permit-3
  inspect
class type inspect sdm-mgmt-cls-ccp-permit-4
  inspect
class type inspect ALLOW_SNMP
  pass
class class-default
  drop
policy-map type inspect urlfilter cppolicymap-2
parameter type urlfpolicy trend cptrendparacatdeny2
class type urlfilter trend cptrendclasscatdeny2
  reset
  log
policy-map type inspect ccp-pol-outToIn
class type inspect CCP_PPTP
  pass
class type inspect sdm-cls-VPNOutsideToInside-1
  inspect
class type inspect sdm-cls-VPNOutsideToInside-2
  inspect
class type inspect sdm-cls-VPNOutsideToInside-3
  pass
class type inspect sdm-cls-VPNOutsideToInside-4
  pass
class type inspect sdm-cls-VPNOutsideToInside-5
  pass
class type inspect sdm-cls-VPNOutsideToInside-6
  inspect
class type inspect sdm-cls-VPNOutsideToInside-7
  pass
class type inspect sdm-cls-VPNOutsideToInside-8
  pass
class type inspect sdm-cls-VPNOutsideToInside-10
  inspect
class type inspect sdm-nat-user-protocol--1-1
  inspect
class type inspect sdm-cls-VPNOutsideToInside-11
  inspect
class type inspect sdm-cls-VPNOutsideToInside-12
  inspect
class type inspect sdm-cls-VPNOutsideToInside-13
  inspect
class type inspect sdm-cls-VPNOutsideToInside-14
  inspect
class type inspect sdm-cls-VPNOutsideToInside-15
  inspect
class type inspect sdm-cls-VPNOutsideToInside-16
  inspect
class type inspect sdm-cls-VPNOutsideToInside-17
  inspect
class type inspect sdm-cls-VPNOutsideToInside-18
  inspect
class type inspect sdm-cls-VPNOutsideToInside-19
  pass
class type inspect sdm-cls-VPNOutsideToInside-20
  pass
class type inspect sdm-cls-VPNOutsideToInside-21
  pass
class type inspect sdm-cls-VPNOutsideToInside-22
  pass
class type inspect sdm-nat-http-1
  inspect
class type inspect sdm-nat-https-1
  inspect
class type inspect sdm-nat-user-protocol--2-1
  inspect
class type inspect sdm-nat-ica-1
  inspect
class type inspect sdm-nat-user-protocol--1-2
  inspect
class type inspect sdm-nat-citriximaclient-1
  inspect
class type inspect sdm-nat-user-protocol--2-2
  inspect
class type inspect sdm-nat-user-protocol--2-3
  inspect
class type inspect sdm-cls-VPNOutsideToInside-23
  inspect
class type inspect sdm-cls-VPNOutsideToInside-24
  inspect
class type inspect sdm-cls-VPNOutsideToInside-25
  pass
class type inspect sdm-cls-VPNOutsideToInside-26
  pass
class type inspect sdm-cls-VPNOutsideToInside-27
  pass
class type inspect sdm-cls-VPNOutsideToInside-28
  pass
class type inspect sdm-cls-VPNOutsideToInside-29
  pass
class type inspect sdm-cls-VPNOutsideToInside-30
  pass
class type inspect sdm-cls-VPNOutsideToInside-31
  pass
class type inspect sdm-cls-VPNOutsideToInside-32
  pass
class type inspect sdm-cls-VPNOutsideToInside-33
  pass
class type inspect sdm-cls-VPNOutsideToInside-34
  pass
class type inspect sdm-cls-VPNOutsideToInside-35
  pass
class type inspect sdm-cls-VPNOutsideToInside-36
  pass
class type inspect sdm-cls-VPNOutsideToInside-37
  pass
class type inspect sdm-cls-VPNOutsideToInside-38
  pass
class type inspect sdm-cls-VPNOutsideToInside-39
  pass
class type inspect sdm-cls-VPNOutsideToInside-40
  pass
class type inspect sdm-cls-VPNOutsideToInside-41
  pass
class type inspect sdm-cls-VPNOutsideToInside-42
  pass
class class-default
  drop log
policy-map type inspect urlfilter cppolicymap-1
parameter type urlfpolicy trend cptrendparacatdeny1
class type urlfilter cplocclassurlallow1
  allow
  log
class type urlfilter cplocclassurlblock1
  reset
  log
class type urlfilter cplocclasskdblock1
  reset
  log
class type urlfilter trend cptrendclasscatdeny1
  reset
  log
class type urlfilter trend cptrendclassrepdeny1
  reset
  log
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone
service-policy type inspect ccp-pol-outToIn
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
hash md5
authentication pre-share
crypto isakmp key abc address *.*.*.*
crypto isakmp key abc address *.*.*.*
crypto isakmp key abc address *.*.*.*
crypto isakmp key abc address *.*.*.*
crypto isakmp key abc address *.*.*.*
crypto isakmp key abc address *.*.*.*
crypto isakmp key abc address *.*.*.*
crypto isakmp key abc address *.*.*.*
crypto isakmp key abc address *.*.*.*
crypto isakmp key abc address *.*.*.*
crypto isakmp invalid-spi-recovery
!
crypto ipsec security-association replay disable
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set DES_MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA5 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA6 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA7 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA8 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA9 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA10 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA11 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA12 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA13 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES esp-3des
!
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel to RemoteSite1
set peer *.*.*.*
set security-association lifetime seconds 28800
set transform-set ESP-3DES
match address 125
crypto map SDM_CMAP_1 5 ipsec-isakmp
description Tunnel to RemoteSite2
set peer *.*.*.*
set security-association lifetime seconds 28800
set transform-set ESP-3DES
match address 131
crypto map SDM_CMAP_1 6 ipsec-isakmp
description Tunnel to RemoteSite3
set peer *.*.*.*
set security-association lifetime seconds 28800
set transform-set ESP-3DES
match address 133
crypto map SDM_CMAP_1 7 ipsec-isakmp
description Tunnel to RemoteSite4
set peer *.*.*.*
set security-association lifetime seconds 28800
set transform-set ESP-3DES ESP-3DES-SHA
match address 148
crypto map SDM_CMAP_1 8 ipsec-isakmp
description Tunnel to RemoteSite5
set peer *.*.*.*
set security-association lifetime seconds 28800
set transform-set ESP-3DES
match address 137
crypto map SDM_CMAP_1 9 ipsec-isakmp
description Tunnel to RemoteSite6
set peer *.*.*.*
set security-association lifetime seconds 28800
set transform-set ESP-3DES
match address 150
crypto map SDM_CMAP_1 10 ipsec-isakmp
description Tunnel to RemoteSite7
set peer *.*.*.*
set security-association lifetime seconds 28800
set transform-set ESP-3DES
match address 152
crypto map SDM_CMAP_1 11 ipsec-isakmp
description Tunnel to RemoteSite8
set peer *.*.*.*
set security-association lifetime seconds 28800
set transform-set ESP-3DES
match address 122
crypto map SDM_CMAP_1 12 ipsec-isakmp
description Tunnel to RemoteSite9
set peer *.*.*.*
set security-association lifetime seconds 28800
set transform-set ESP-3DES ESP-3DES-SHA
match address 127
!

interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description $FW_OUTSIDE$$ETH-LAN$
ip address *.*.*.* 255.255.255.248
ip access-group 100 in
no ip unreachables
ip nat outside
no ip virtual-reassembly in
zone-member security out-zone
duplex full
speed 1000
no mop enabled
crypto map SDM_CMAP_1
crypto ipsec df-bit clear
!
interface GigabitEthernet0/1
description $FW_INSIDE$$ETH-LAN$
ip address *.*.*.* 255.255.255.0
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
duplex full
speed 1000
!
ip forward-protocol nd
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip flow-top-talkers
top 10
sort-by bytes
cache-timeout 1000000
!
ip nat inside source static tcp 192.168.1.217 5080 interface GigabitEthernet0/0 5080
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 192.168.1.218 18802 *.*.*.* 18802 route-map ETL_CARDLOCK extendable
ip nat inside source static tcp 192.168.1.216 80 *.*.*.* 80 extendable
ip nat inside source static tcp 192.168.1.216 443 *.*.*.* 443 extendable
ip nat inside source static tcp 192.168.1.216 1494 *.*.*.* 1494 extendable
ip nat inside source static tcp 192.168.1.216 2598 *.*.*.* 2598 extendable
ip nat inside source static tcp 192.168.1.213 3389 *.*.*.* 3390 extendable
ip nat inside source static tcp 192.168.1.216 5080 *.*.*.* 5080 extendable
ip route 0.0.0.0 0.0.0.0 *.*.*.*
!
!
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
ip access-list extended SDM_HTTP
remark CCP_ACL Category=0
permit tcp any any eq www
ip access-list extended SDM_HTTPS
remark CCP_ACL Category=1
permit tcp any any eq 443
ip access-list extended SDM_SHELL
remark CCP_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark CCP_ACL Category=1
permit tcp any any eq 22
ip access-list extended SDM_TELNET
remark CCP_ACL Category=0
permit tcp any any eq telnet
!
no logging trap
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 remark CCP_ACL Category=1
access-list 2 permit *.*.*.* 0.0.1.255
access-list 2 permit 192.168.0.0 0.0.255.255
access-list 2 remark Auto generated by SDM Management Access feature
access-list 2 permit *.*.*.* 0.0.0.255
access-list 2 permit *.*.*.* 0.0.0.255
access-list 100 remark Auto generated by SDM Management Access feature
access-list 100 remark CCP_ACL Category=1
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit udp host *.*.*.* host *.*.*.* eq non500-isakmp
access-list 100 permit udp host *.*.*.* host *.*.*.* eq isakmp
access-list 100 permit esp host *.*.*.* host *.*.*.*
access-list 100 permit ahp host *.*.*.* host *.*.*.*
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit udp host *.*.*.* host *.*.*.* eq non500-isakmp
access-list 100 permit udp host *.*.*.* host *.*.*.* eq isakmp
access-list 100 permit esp host *.*.*.* host *.*.*.*
access-list 100 permit ahp host *.*.*.* host *.*.*.*
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.9.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit udp host *.*.*.* host *.*.*.* eq non500-isakmp
access-list 100 permit udp host *.*.*.* host *.*.*.* eq isakmp
access-list 100 permit esp host *.*.*.* host *.*.*.*
access-list 100 permit ahp host *.*.*.* host *.*.*.*
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit udp host *.*.*.* host *.*.*.* eq non500-isakmp
access-list 100 permit udp host *.*.*.* host *.*.*.* eq isakmp
access-list 100 permit esp host *.*.*.* host *.*.*.*
access-list 100 permit ahp host *.*.*.* host *.*.*.*
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit udp host *.*.*.* host *.*.*.* eq non500-isakmp
access-list 100 permit udp host *.*.*.* host *.*.*.* eq isakmp
access-list 100 permit esp host *.*.*.* host *.*.*.*
access-list 100 permit ahp host *.*.*.* host *.*.*.*
access-list 100 permit tcp *.*.*.* 0.0.1.255 host *.*.*.* eq telnet
access-list 100 permit tcp 192.168.0.0 0.0.255.255 host *.*.*.* eq telnet
access-list 100 permit tcp *.*.*.* 0.0.1.255 host *.*.*.* eq 22
access-list 100 permit tcp 192.168.0.0 0.0.255.255 host *.*.*.* eq 22
access-list 100 permit tcp *.*.*.* 0.0.1.255 host *.*.*.* eq www
access-list 100 permit tcp 192.168.0.0 0.0.255.255 host *.*.*.* eq www
access-list 100 permit tcp *.*.*.* 0.0.1.255 host *.*.*.* eq 443
access-list 100 permit tcp 192.168.0.0 0.0.255.255 host 24.222.16.186 eq 443
access-list 100 permit tcp *.*.*.* 0.0.1.255 host *.*.*.* eq cmd
access-list 100 permit tcp 192.168.0.0 0.0.255.255 host *.*.*.* eq cmd
access-list 100 deny   tcp any host *.*.*.* eq telnet
access-list 100 deny   tcp any host *.*.*.* eq 22
access-list 100 deny   tcp any host *.*.*.* eq www
access-list 100 deny   tcp any host *.*.*.* eq 443
access-list 100 deny   tcp any host *.*.*.* eq cmd
access-list 100 permit udp host *.*.*.* host *.*.*.* eq snmp
access-list 100 deny   udp any host *.*.*.* eq snmp
access-list 100 permit tcp any host *.*.*.* eq 3390
access-list 100 permit tcp any host *.*.*.* eq 1494
access-list 100 permit tcp any host *.*.*.* eq 2598
access-list 100 permit tcp any host *.*.*.* eq 5080
access-list 100 permit tcp any host *.*.*.* eq 1484
access-list 100 permit tcp any host *.*.*.* eq 3389
access-list 100 permit tcp any host *.*.*.* eq 443
access-list 100 permit tcp any host *.*.*.* eq www
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.8.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit udp host *.*.*.* host *.*.*.* eq non500-isakmp
access-list 100 permit udp host *.*.*.* host *.*.*.* eq isakmp
access-list 100 permit esp host *.*.*.* host *.*.*.*
access-list 100 permit ahp host *.*.*.* host *.*.*.*
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit udp host *.*.*.* host *.*.*.* eq non500-isakmp
access-list 100 permit udp host *.*.*.* host *.*.*.* eq isakmp
access-list 100 permit esp host *.*.*.* host *.*.*.*
access-list 100 permit ahp host *.*.*.* host *.*.*.*
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit udp host *.*.*.* host *.*.*.* eq non500-isakmp
access-list 100 permit udp host *.*.*.* host *.*.*.* eq isakmp
access-list 100 permit esp host *.*.*.* host *.*.*.*
access-list 100 permit ahp host *.*.*.* host *.*.*.*
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit udp host *.*.*.* host *.*.*.* eq non500-isakmp
access-list 100 permit udp host *.*.*.* host *.*.*.* eq isakmp
access-list 100 permit esp host *.*.*.* host *.*.*.*
access-list 100 permit ahp host *.*.*.* host *.*.*.*
access-list 100 permit tcp any host *.*.*.* eq 5080
access-list 100 permit tcp host *.*.*.* host *.*.*.* eq 4443
access-list 100 permit udp host 8.8.8.8 eq 53 host *.*.*.*
access-list 100 permit udp host *.*.*.* eq 53 host *.*.*.*
access-list 100 permit udp host 4.2.2.2 eq 53 host *.*.*.*
access-list 100 permit icmp any any
access-list 101 remark Auto generated by SDM Management Access feature
access-list 101 remark CCP_ACL Category=1
access-list 101 permit ip 204.58.62.0 0.0.1.255 any
access-list 101 permit ip 192.168.0.0 0.0.255.255 any
access-list 101 permit ip *.*.*.* 0.0.0.255 any
access-list 101 permit ip *.*.*.* 0.0.0.255 any
access-list 102 remark CCP_ACL Category=128
access-list 102 permit ip host 255.255.255.255 any
access-list 102 permit ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip *.*.*.* 0.0.0.255 any
access-list 103 remark CCP_ACL Category=128
access-list 103 permit ip host *.*.*.* any
access-list 104 remark Auto generated by SDM Management Access feature
access-list 104 remark CCP_ACL Category=1
access-list 104 permit ip *.*.*.* 0.0.1.255 host 24.222.16.186
access-list 105 remark CCP_ACL Category=4
access-list 105 remark IPSec Rule
access-list 105 permit ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 106 remark CCP_ACL Category=128
access-list 106 permit ip host *.*.*.* any
access-list 106 permit ip host *.*.*.* any
access-list 106 permit ip host *.*.*.* any
access-list 106 permit ip host *.*.*.* any
access-list 106 permit ip host *.*.*.* any
access-list 106 permit ip host *.*.*.* any
access-list 106 permit ip host *.*.*.* any
access-list 106 permit ip host *.*.*.* any
access-list 106 permit ip host *.*.*.* any
access-list 106 permit ip host *.*.*.* any
access-list 106 permit ip host *.*.*.* any
access-list 107 remark CCP_ACL Category=0
access-list 107 remark IPSec Rule
access-list 107 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 108 remark CCP_ACL Category=2
access-list 108 remark IPSec Rule
access-list 108 deny   ip 192.168.1.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 108 remark IPSec Rule
access-list 108 deny   ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 108 remark IPSec Rule
access-list 108 deny   ip 192.168.1.0 0.0.0.255 192.168.9.0 0.0.0.255
access-list 108 remark IPSec Rule
access-list 108 deny   ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 108 remark IPSec Rule
access-list 108 deny   ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 108 remark IPSec Rule
access-list 108 deny   ip 192.168.1.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 108 remark IPSec Rule
access-list 108 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 108 remark IPSec Rule
access-list 108 deny   ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 108 remark IPSec Rule
access-list 108 deny   ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 108 permit ip 192.168.1.0 0.0.0.255 any
access-list 109 remark CCP_ACL Category=4
access-list 109 remark IPSec Rule
access-list 109 permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 110 remark IPSec Rule
access-list 110 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 111 remark CCP_ACL Category=0
access-list 111 remark IPSec Rule
access-list 111 permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 111 remark IPSec Rule
access-list 111 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 112 remark Auto generated by SDM Management Access feature
access-list 112 remark CCP_ACL Category=1
access-list 112 permit ip *.*.*.* 0.0.0.255 host *.*.*.*
access-list 113 remark Auto generated by SDM Management Access feature
access-list 113 remark CCP_ACL Category=1
access-list 113 permit ip *.*.*.* 0.0.0.255 host *.*.*.*
access-list 114 remark CCP_ACL Category=0
access-list 114 remark IPSec Rule
access-list 114 permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 114 remark IPSec Rule
access-list 114 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 115 remark Auto generated by SDM Management Access feature
access-list 115 remark CCP_ACL Category=1
access-list 115 permit ip 192.168.0.0 0.0.255.255 host *.*.*.*
access-list 116 remark CCP_ACL Category=0
access-list 116 remark IPSec Rule
access-list 116 permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 116 remark IPSec Rule
access-list 116 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 117 remark CCP_ACL Category=0
access-list 117 remark IPSec Rule
access-list 117 permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 117 remark IPSec Rule
access-list 117 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 118 remark CCP_ACL Category=0
access-list 118 remark IPSec Rule
access-list 118 permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 118 remark IPSec Rule
access-list 118 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 119 remark CCP_ACL Category=0
access-list 119 remark IPSec Rule
access-list 119 permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 119 remark IPSec Rule
access-list 119 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 121 remark CCP_ACL Category=0
access-list 121 remark IPSec Rule
access-list 121 permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 121 remark IPSec Rule
access-list 121 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 122 permit ip 192.168.1.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 123 remark CCP_ACL Category=0
access-list 123 remark IPSec Rule
access-list 123 permit ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 124 remark CCP_ACL Category=0
access-list 124 permit ip any host 192.168.1.217
access-list 125 remark CCP_ACL Category=4
access-list 125 remark IPSec Rule
access-list 125 permit ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 126 remark CCP_ACL Category=0
access-list 126 remark IPSec Rule
access-list 126 permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 126 remark IPSec Rule
access-list 126 permit ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 127 remark CCP_ACL Category=4
access-list 127 remark IPSec Rule
access-list 127 permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 128 remark CCP_ACL Category=0
access-list 128 remark IPSec Rule
access-list 128 permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 128 remark IPSec Rule
access-list 128 permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 128 remark IPSec Rule
access-list 128 permit ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 129 remark CCP_ACL Category=4
access-list 129 remark IPSec Rule
access-list 129 permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 130 remark CCP_ACL Category=0
access-list 130 remark IPSec Rule
access-list 130 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 130 remark IPSec Rule
access-list 130 permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 130 remark IPSec Rule
access-list 130 permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 130 remark IPSec Rule
access-list 130 permit ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 131 remark CCP_ACL Category=4
access-list 131 remark IPSec Rule
access-list 131 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 132 remark CCP_ACL Category=0
access-list 132 remark IPSec Rule
access-list 132 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 132 remark IPSec Rule
access-list 132 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 132 remark IPSec Rule
access-list 132 permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 132 remark IPSec Rule
access-list 132 permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 132 remark IPSec Rule
access-list 132 permit ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 133 remark CCP_ACL Category=4
access-list 133 remark IPSec Rule
access-list 133 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 134 remark CCP_ACL Category=0
access-list 134 remark IPSec Rule
access-list 134 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 134 remark IPSec Rule
access-list 134 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 134 remark IPSec Rule
access-list 134 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 134 remark IPSec Rule
access-list 134 permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 134 remark IPSec Rule
access-list 134 permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 134 remark IPSec Rule
access-list 134 permit ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 135 remark CCP_ACL Category=4
access-list 135 remark IPSec Rule
access-list 135 permit ip 192.168.1.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 136 remark CCP_ACL Category=0
access-list 136 remark IPSec Rule
access-list 136 permit ip 192.168.12.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 136 remark IPSec Rule
access-list 136 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 136 remark IPSec Rule
access-list 136 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 136 remark IPSec Rule
access-list 136 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 136 remark IPSec Rule
access-list 136 permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 136 remark IPSec Rule
access-list 136 permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 136 remark IPSec Rule
access-list 136 permit ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 137 remark CCP_ACL Category=4
access-list 137 remark IPSec Rule
access-list 137 permit ip 192.168.1.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 138 remark CCP_ACL Category=0
access-list 138 remark IPSec Rule
access-list 138 permit ip 192.168.8.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 138 remark IPSec Rule
access-list 138 permit ip 192.168.12.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 138 remark IPSec Rule
access-list 138 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 138 remark IPSec Rule
access-list 138 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 138 remark IPSec Rule
access-list 138 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 138 remark IPSec Rule
access-list 138 permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 138 remark IPSec Rule
access-list 138 permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 138 remark IPSec Rule
access-list 138 permit ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 139 remark CCP_ACL Category=4
access-list 139 remark IPSec Rule
access-list 139 permit ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 140 remark CCP_ACL Category=0
access-list 140 remark IPSec Rule
access-list 140 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 140 remark IPSec Rule
access-list 140 permit ip 192.168.8.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 140 remark IPSec Rule
access-list 140 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 140 remark IPSec Rule
access-list 140 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 140 remark IPSec Rule
access-list 140 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 140 remark IPSec Rule
access-list 140 permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 140 remark IPSec Rule
access-list 140 permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 140 remark IPSec Rule
access-list 140 permit ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 141 remark CCP_ACL Category=0
access-list 141 remark IPSec Rule
access-list 141 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 141 remark IPSec Rule
access-list 141 permit ip 192.168.8.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 141 remark IPSec Rule
access-list 141 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 141 remark IPSec Rule
access-list 141 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 141 remark IPSec Rule
access-list 141 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 141 remark IPSec Rule
access-list 141 permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 141 remark IPSec Rule
access-list 141 permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 141 remark IPSec Rule
access-list 141 permit ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 142 remark CCP_ACL Category=0
access-list 142 remark IPSec Rule
access-list 142 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 142 remark IPSec Rule
access-list 142 permit ip 192.168.8.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 142 remark IPSec Rule
access-list 142 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 142 remark IPSec Rule
access-list 142 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 142 remark IPSec Rule
access-list 142 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 142 remark IPSec Rule
access-list 142 permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 142 remark IPSec Rule
access-list 142 permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 142 remark IPSec Rule
access-list 142 permit ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 143 remark CCP_ACL Category=0
access-list 143 remark IPSec Rule
access-list 143 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 143 remark IPSec Rule
access-list 143 permit ip 192.168.8.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 143 remark IPSec Rule
access-list 143 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 143 remark IPSec Rule
access-list 143 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 143 remark IPSec Rule
access-list 143 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 143 remark IPSec Rule
access-list 143 permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 143 remark IPSec Rule
access-list 143 permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 143 remark IPSec Rule
access-list 143 permit ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 144 remark CCP_ACL Category=0
access-list 144 remark IPSec Rule
access-list 144 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 144 remark IPSec Rule
access-list 144 permit ip 192.168.8.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 144 remark IPSec Rule
access-list 144 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 144 remark IPSec Rule
access-list 144 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 144 remark IPSec Rule
access-list 144 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 144 remark IPSec Rule
access-list 144 permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 144 remark IPSec Rule
access-list 144 permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 144 remark IPSec Rule
access-list 144 permit ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 145 remark CCP_ACL Category=0
access-list 145 permit ip any host 192.168.1.216
access-list 146 remark CCP_ACL Category=0
access-list 146 permit ip any host 192.168.1.212
access-list 147 remark CCP_ACL Category=0
access-list 147 permit ip any host 192.168.1.213
access-list 148 remark CCP_ACL Category=4
access-list 148 remark IPSec Rule
access-list 148 permit ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 149 remark CCP_ACL Category=0
access-list 149 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 149 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 149 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 149 permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 149 permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 149 permit ip 192.168.8.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 149 permit ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 149 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 150 remark CCP_ACL Category=4
access-list 150 remark IPSec Rule
access-list 150 permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 151 remark CCP_ACL Category=0
access-list 151 permit ip 192.168.8.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 151 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 151 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 151 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 151 permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 151 permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 151 permit ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 151 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 152 remark CCP_ACL Category=4
access-list 152 remark IPSec Rule
access-list 152 permit ip 192.168.1.0 0.0.0.255 192.168.9.0 0.0.0.255
access-list 153 remark CCP_ACL Category=0
access-list 153 permit ip 192.168.9.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 153 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 153 permit ip 192.168.8.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 153 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 153 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 153 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 153 permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 153 permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 153 permit ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 154 remark CCP_ACL Category=0
access-list 154 permit ip 192.168.9.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 154 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 154 permit ip 192.168.8.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 154 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 154 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 154 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 154 permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 154 permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 154 permit ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 155 remark CCP_ACL Category=0
access-list 155 permit ip 192.168.9.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 155 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 155 permit ip 192.168.8.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 155 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 155 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 155 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 155 permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 155 permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 155 permit ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 156 remark CCP_ACL Category=0
access-list 156 permit ip 192.168.9.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 156 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 156 permit ip 192.168.8.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 156 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 156 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 156 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 156 permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 156 permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 156 permit ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 157 remark CCP_ACL Category=0
access-list 157 permit ip 192.168.9.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 157 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 157 permit ip 192.168.8.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 157 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 157 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 157 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 157 permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 157 permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 157 permit ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 158 remark CCP_ACL Category=0
access-list 158 permit ip 192.168.9.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 158 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 158 permit ip 192.168.8.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 158 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 158 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 158 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 158 permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 158 permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 158 permit ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 159 remark CCP_ACL Category=0
access-list 159 permit ip 192.168.9.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 159 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 159 permit ip 192.168.8.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 159 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 159 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 159 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 159 permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 159 permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 159 permit ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 160 remark CCP_ACL Category=0
access-list 160 permit ip 192.168.9.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 160 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 160 permit ip 192.168.8.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 160 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 160 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 160 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 160 permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 160 permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 160 permit ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 161 remark CCP_ACL Category=0
access-list 161 permit ip 192.168.9.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 161 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 161 permit ip 192.168.8.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 161 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 161 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 161 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 161 permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 161 permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 162 remark CCP_ACL Category=0
access-list 162 permit ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 162 permit ip 192.168.9.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 162 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 162 permit ip 192.168.8.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 162 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 162 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 162 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 162 permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 162 permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 163 remark CCP_ACL Category=0
access-list 163 permit ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 163 permit ip 192.168.9.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 163 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 163 permit ip 192.168.8.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 163 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 163 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 163 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 163 permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 163 permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 164 remark CCP_ACL Category=0
access-list 164 permit ip 192.168.9.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 164 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 164 permit ip 192.168.8.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 164 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 164 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 164 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 164 permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 164 permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 165 remark CCP_ACL Category=0
access-list 165 permit ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 165 permit ip 192.168.9.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 165 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 165 permit ip 192.168.8.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 165 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 165 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 165 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 165 permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 165 permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 166 remark CCP_ACL Category=0
access-list 166 permit ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 166 permit ip 192.168.9.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 166 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 166 permit ip 192.168.8.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 166 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 166 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 166 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 166 permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 167 remark CCP_ACL Category=0
access-list 167 permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 167 permit ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 167 permit ip 192.168.9.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 167 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 167 permit ip 192.168.8.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 167 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 167 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 167 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 167 permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 168 remark CCP_ACL Category=0
access-list 168 permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 168 permit ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 168 permit ip 192.168.9.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 168 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 168 permit ip 192.168.8.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 168 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 168 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 168 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 168 permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 169 remark CCP_ACL Category=0
access-list 169 permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 169 permit ip 192.168.9.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 169 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 169 permit ip 192.168.8.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 169 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 169 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 169 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 169 permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 170 permit ip 192.168.1.0 0.0.0.255 host 192.168.6.2 log-input
access-list 170 permit ip host 192.168.6.2 192.168.1.0 0.0.0.255 log-input
access-list 171 remark CCP_ACL Category=0
access-list 171 permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 171 permit ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 171 permit ip 192.168.9.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 171 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 171 permit ip 192.168.8.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 171 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 171 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 171 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 171 permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 180 permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.2 log-input
access-list 180 permit tcp host 192.168.2.2 192.168.1.0 0.0.0.255 log-input
!
route-map SDM_RMAP_1 permit 1
match ip address 108

!

snmp-server community ***** RO
!
control-plane
!

line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 101 in
exec-timeout 0 0
password enable1
logging synchronous
transport input all
!
scheduler allocate 20000 1000
ntp server 0.ca.pool.ntp.org prefer
ntp server 1.ca.pool.ntp.org
end

*************************************************************************************************************

Thanks,

Shuai

0 Helpful

Punit Jethva
Level 1
Level 1
In response to m1xed0s

‎05-18-2012 07:00 AM

It seems that you havent allowed for zone outside to self esp traffic to pass

0 Helpful

m1xed0s
Spotlight
Spotlight
In response to Punit Jethva

‎05-18-2012 07:03 AM

That is correct at the moment. I use to have but TAC removed policy-map which brought up the tunnel. Plus I think I used ACL on External interface and ZBF to double layer protect router, which might cause issue.

0 Helpful

Henrik Grankvist
Level 4
Level 4
In response to m1xed0s

‎05-18-2012 07:37 AM

I've been using both 12.4 and 15.1.

Was this config working at this moment?

0 Helpful

m1xed0s
Spotlight
Spotlight
In response to Henrik Grankvist

‎05-18-2012 08:00 AM

The configure is working minus some DNS intermitted issue.

I really think this is the caching issue.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents