Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Lost on SiteToSite VPN connectivity issues

I'm working between two sites right now.

Site A is a Cisco 891.

Site B is a Snapgear SG560

I hate a simple IPSEC tunnel setup between the two of them.

WHen I got it configured, I ran into a NAT problem where anything that I had Static NAT'ed I couldn't reach from Site B (the world and local LANs still could). I solved this by another forum post here, recommending to add route-map to the end of the ip nat inside command. I did so and this solved it.

But the reverse started happening. I can now ping everything I had static NAT'ed and access them as well, but all the other regular hosts I cannot.

Please help I've been working on this for the past 9 hours. Much appreciated. Here's the Cisco CONFIG.

P.S. Even weirder, if I run a ping from a PC behind the SG560 to a 50.x ip behind the Cisco it will fail.. unless i'm simultaneously attempting a ping from the 50.x host I was trying to ping back to the PC I'm testing on.

(Configured using CCP)

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

!

boot-start-marker

boot-end-marker

!

!

logging buffered 102004

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login ciscocp_vpn_xauth_ml_1 local

aaa authentication login ciscocp_vpn_xauth_ml_2 local

aaa authentication login ciscocp_vpn_xauth_ml_3 local

aaa authorization exec default local

aaa authorization network ciscocp_vpn_group_ml_1 local

aaa authorization network ciscocp_vpn_group_ml_2 local

aaa authorization network ciscocp_vpn_group_ml_3 local

!

!

!

!

!

aaa session-id common

!

clock timezone NewYork -5 0

clock summer-time NewYork date Apr 6 2003 2:00 Oct 26 2003 2:00

crypto pki token default removal timeout 0

!

!

!

ip source-route

!

!

!

!

ip dhcp pool TestNet

import all

network 192.168.99.0 255.255.255.0

dns-server 192.168.50.2

default-router 192.168.99.1

!

ip dhcp pool TechServices

host 192.168.99.99 255.255.255.0

hardware-address 000f.b5ea.ec97

!

!

ip cef

ip name-server 4.2.2.2

ip port-map user-AspectApplet port tcp 7227

ip port-map user-8080 port tcp 8080

ip port-map user-7226 port tcp 7226

ip port-map user-smtps port tcp 465 description Secure Smtp

no ipv6 cef

!

!

!

!

multilink bundle-name authenticated

parameter-map type protocol-info msn-servers

server name messenger.hotmail.com

server name gateway.messenger.hotmail.com

server name webmessenger.msn.com

parameter-map type protocol-info aol-servers

server name login.oscar.aol.com

server name toc.oscar.aol.com

server name oam-d09a.blue.aol.com

parameter-map type protocol-info yahoo-servers

server name scs.msg.yahoo.com

server name scsa.msg.yahoo.com

server name scsb.msg.yahoo.com

server name scsc.msg.yahoo.com

server name scsd.msg.yahoo.com

server name cs16.msg.dcn.yahoo.com

server name cs19.msg.dcn.yahoo.com

server name cs42.msg.dcn.yahoo.com

server name cs53.msg.dcn.yahoo.com

server name cs54.msg.dcn.yahoo.com

server name ads1.vip.scd.yahoo.com

server name radio1.launch.vip.dal.yahoo.com

server name in1.msg.vip.re2.yahoo.com

server name data1.my.vip.sc5.yahoo.com

server name address1.pim.vip.mud.yahoo.com

server name edit.messenger.yahoo.com

server name messenger.yahoo.com

server name http.pager.yahoo.com

server name privacy.yahoo.com

server name csa.yahoo.com

server name csb.yahoo.com

server name csc.yahoo.com

!

!

!

!

!

!

license udi pid CISCO891-K9 sn FTX163083H9

!

!

object-group service AD-Sync

tcp eq 636

tcp eq 389

!

object-group network AllLANs

192.168.212.0 255.255.255.0

10.10.10.0 255.255.255.224

192.168.23.0 255.255.255.0

192.168.50.0 255.255.255.0

192.168.53.0 255.255.255.0

192.168.55.0 255.255.255.0

192.168.59.0 255.255.255.0

192.168.99.0 255.255.255.0

!

object-group service AspectFT

tcp eq 7226

tcp eq 8080

tcp eq 443

icmp echo

tcp eq www

!

object-group service AspectFTApplet

tcp eq 7227

!

object-group network AtlantaSubnet

192.168.55.0 255.255.255.0

192.168.212.0 255.255.255.0

192.168.53.0 255.255.255.0

!

object-group network INT_aamex10

host 192.168.50.182

!

object-group network INT_aamex2

host 192.168.50.27

!

object-group network INT_ExchangeTest

host 192.168.50.103

!

object-group network BOTHexchange

group-object INT_aamex10

group-object INT_aamex2

group-object INT_ExchangeTest

!

object-group service BacnetUDP

udp source eq 47807

udp source eq 47808

udp source eq 47809

udp source eq 17284

udp source eq 7226

!

object-group network INT_ns1

host 192.168.50.3

!

object-group network INT_ns2

host 192.168.50.5

!

object-group network BothNAMESERVERS

group-object INT_ns1

group-object INT_ns2

!

object-group network DMZ_www_server

host 192.168.59.1

!

object-group service Domain

tcp-udp eq domain

!

object-group network EXT_corp

host 98.xx.xx.21

!

object-group network EXT_facility

host 98.xx.xx.24

!

object-group network EXT_forums

host 98.xx.xx.23

!

object-group network EXT_ns1

host 98.xx.xx.19

!

object-group network EXT_ns2

host 98.xx.xx.20

!

object-group network EXT_www

host 98.xx.xx.22

!

object-group service Exchange+OWA

tcp eq 443

tcp eq 465

tcp eq 993

icmp echo

tcp eq www

!

object-group network Export_DMZ

192.168.59.0 255.255.255.0

!

object-group network Export_External_Net

98.xx.xx.16 255.255.255.240

!

object-group service HTTPOnly

tcp eq www

!

object-group network INT_forums

host 192.168.50.8

!

object-group network INT_matrix

host 192.168.50.76

!

object-group network Kennesaw_External_Net

75.xx.xx.40 255.255.255.248

!

object-group network MXLogic

208.xx.144.0 255.255.248.0

208.xx.xx.0 255.255.252.0

!

object-group network Manuf-Nexus

host 192.168.50.82

!

object-group network RemoteApp

host 192.168.50.161

!

object-group service SMTP

tcp eq 465

tcp eq smtp

!

object-group network SMTP_Trusted

group-object Export_DMZ

group-object MXLogic

group-object AtlantaSubnet

group-object Kennesaw_External_Net

!

object-group service SoloProoverIP(PUP)

tcp-udp source eq 4222

tcp-udp source eq 4225

!

object-group network WSUS/CertServer

host 192.168.50.213

!

object-group network Yosemite

host 192.168.50.4

!

object-group service http(s)+ftp(d)

tcp eq 443

tcp eq ftp-data

tcp eq ftp

tcp eq www

!

object-group service http+https

tcp eq 443

tcp eq www

!

!

!

!

!

class-map type inspect match-all sdm-cls-VPNOutsideToInside-1

match access-group 110

class-map type inspect match-all sdm-cls-VPNOutsideToInside-2

match access-group 107

class-map type inspect imap match-any ccp-app-imap

match  invalid-command

class-map type inspect match-any ccp-cls-protocol-p2p

match protocol edonkey signature

match protocol gnutella signature

match protocol kazaa2 signature

match protocol fasttrack signature

match protocol bittorrent signature

class-map type inspect match-all sdm-nat-user-protocol--1-1

match access-group 106

class-map type inspect match-all sdm-cls-VPNOutsideToInside-9

match access-group 122

class-map type inspect match-all SDM_GRE

match access-group name SDM_GRE

class-map type inspect match-any CCP_PPTP

match class-map SDM_GRE

class-map type inspect match-any SDM_AH

match access-group name SDM_AH

class-map type inspect match-any AspectApplet

match protocol user-AspectApplet

class-map type inspect match-any ccp-skinny-inspect

match protocol skinny

class-map type inspect match-any SDM_ESP

match access-group name SDM_ESP

class-map type inspect match-any SDM_VPN_TRAFFIC

match protocol isakmp

match protocol ipsec-msft

match class-map SDM_AH

match class-map SDM_ESP

match protocol icmp

match protocol pptp

class-map type inspect match-all SDM_VPN_PT

match access-group 102

match class-map SDM_VPN_TRAFFIC

class-map type inspect match-any http

match protocol http

match protocol icmp

class-map type inspect match-any ccp-cls-insp-traffic

match protocol pptp

match protocol dns

match protocol ftp

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect gnutella match-any ccp-app-gnutella

match  file-transfer

class-map type inspect match-any AspectFT

match protocol user-7226

match protocol user-8080

match protocol icmp

match protocol http

match protocol https

class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices

match  service any

class-map type inspect msnmsgr match-any ccp-app-msn-otherservices

match  service any

class-map type inspect match-any ccp-h323nxg-inspect

match protocol h323-nxg

class-map type inspect match-any ccp-cls-icmp-access-1

match protocol icmp

class-map type inspect match-any SMTPOnly

match protocol smtp

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-any ccp-cls-protocol-im

match protocol ymsgr yahoo-servers

match protocol msnmsgr msn-servers

match protocol aol aol-servers

class-map type inspect aol match-any ccp-app-aol-otherservices

match  service any

class-map type inspect match-all ccp-protocol-pop3

match protocol pop3

class-map type inspect match-any ccp-h225ras-inspect

match protocol h225ras

class-map type inspect match-any ccp-h323annexe-inspect

match protocol h323-annexe

class-map type inspect pop3 match-any ccp-app-pop3

match  invalid-command

class-map type inspect kazaa2 match-any ccp-app-kazaa2

match  file-transfer

class-map type inspect match-all ccp-protocol-p2p

match class-map ccp-cls-protocol-p2p

class-map type inspect match-any http+https

match protocol http

match protocol https

class-map type inspect match-any DD_PPTP

match protocol pptp

class-map type inspect match-any ccp-h323-inspect

match protocol h323

class-map type inspect match-any dns

match protocol dns

class-map type inspect match-all ccp-cls-ccp-pol-outToIn-1

match class-map dns

match access-group name NAMESERVERS

class-map type inspect msnmsgr match-any ccp-app-msn

match  service text-chat

class-map type inspect ymsgr match-any ccp-app-yahoo

match  service text-chat

class-map type inspect match-any ExchangeOWA

match protocol user-smtps

match protocol imaps

match protocol http

match protocol https

match protocol icmp

class-map type inspect match-all ccp-protocol-im

match class-map ccp-cls-protocol-im

class-map type inspect match-all ccp-cls-ccp-pol-outToIn-2

match class-map ExchangeOWA

match access-group name ExchangeNonSMTPTraffic

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-all ccp-invalid-src

match access-group 100

class-map type inspect match-all ccp-cls-ccp-pol-outToIn-3

match class-map AspectFT

match access-group name INT_Matrix

class-map type inspect match-all ccp-cls-ccp-pol-outToIn-4

match class-map http+https

match access-group name CertificateTraffic

class-map type inspect match-all ccp-cls-ccp-pol-outToIn-5

match class-map http

match access-group name INT_forums

class-map type inspect http match-any ccp-app-httpmethods

match  request method bcopy

match  request method bdelete

match  request method bmove

match  request method bpropfind

match  request method bproppatch

match  request method connect

match  request method copy

match  request method delete

match  request method edit

match  request method getattribute

match  request method getattributenames

match  request method getproperties

match  request method index

match  request method lock

match  request method mkcol

match  request method mkdir

match  request method move

match  request method notify

match  request method options

match  request method poll

match  request method propfind

match  request method proppatch

match  request method put

match  request method revadd

match  request method revlabel

match  request method revlog

match  request method revnum

match  request method save

match  request method search

match  request method setattribute

match  request method startrev

match  request method stoprev

match  request method subscribe

match  request method trace

match  request method unedit

match  request method unlock

match  request method unsubscribe

class-map type inspect match-any ccp-dmz-protocols

match protocol http

match protocol https

match protocol ftp

class-map type inspect edonkey match-any ccp-app-edonkey

match  file-transfer

match  text-chat

match  search-file-name

class-map type inspect match-all ccp-cls-ccp-pol-outToIn-6

match class-map AspectApplet

match access-group name ManufNexus

class-map type inspect match-all ccp-cls-ccp-pol-outToIn-7

match class-map SMTPOnly

match access-group name SMPTTrustedTraffic

class-map type inspect match-any ccp-sip-inspect

match protocol sip

class-map type inspect http match-any ccp-http-blockparam

match  request port-misuse im

match  request port-misuse p2p

match  req-resp protocol-violation

class-map type inspect edonkey match-any ccp-app-edonkeydownload

match  file-transfer

class-map type inspect aol match-any ccp-app-aol

match  service text-chat

class-map type inspect match-all ccp-protocol-imap

match protocol imap

class-map type inspect edonkey match-any ccp-app-edonkeychat

match  search-file-name

match  text-chat

class-map type inspect match-all ccp-protocol-http

match protocol http

class-map type inspect http match-any ccp-http-allowparam

match  request port-misuse tunneling

class-map type inspect fasttrack match-any ccp-app-fasttrack

match  file-transfer

!

!

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

  inspect

class type inspect ccp-sip-inspect

  inspect

class type inspect ccp-h323-inspect

  inspect

class type inspect ccp-h323annexe-inspect

  inspect

class type inspect ccp-h225ras-inspect

  inspect

class type inspect ccp-h323nxg-inspect

  inspect

class type inspect ccp-skinny-inspect

  inspect

class class-default

  drop log

policy-map type inspect p2p ccp-action-app-p2p

class type inspect edonkey ccp-app-edonkeychat

  log

  allow

class type inspect edonkey ccp-app-edonkeydownload

  log

  allow

class type inspect fasttrack ccp-app-fasttrack

  log

  allow

class type inspect gnutella ccp-app-gnutella

  log

  allow

class type inspect kazaa2 ccp-app-kazaa2

  log

  allow

policy-map type inspect im ccp-action-app-im

class type inspect aol ccp-app-aol

  log

  allow

class type inspect msnmsgr ccp-app-msn

  log

  allow

class type inspect ymsgr ccp-app-yahoo

  log

  allow

class type inspect aol ccp-app-aol-otherservices

  log

  reset

class type inspect msnmsgr ccp-app-msn-otherservices

  log

  reset

class type inspect ymsgr ccp-app-yahoo-otherservices

  log

  reset

policy-map type inspect http ccp-action-app-http

class type inspect http ccp-http-blockparam

  log

  reset

class type inspect http ccp-app-httpmethods

  log

  reset

class type inspect http ccp-http-allowparam

  log

  allow

policy-map type inspect imap ccp-action-imap

class type inspect imap ccp-app-imap

  log

policy-map type inspect pop3 ccp-action-pop3

class type inspect pop3 ccp-app-pop3

  log

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

  drop log

class type inspect ccp-protocol-http

  inspect

  service-policy http ccp-action-app-http

class type inspect ccp-protocol-imap

  inspect

  service-policy imap ccp-action-imap

class type inspect ccp-protocol-pop3

  inspect

  service-policy pop3 ccp-action-pop3

class type inspect ccp-protocol-p2p

  inspect

  service-policy p2p ccp-action-app-p2p

class type inspect ccp-protocol-im

  inspect

  service-policy im ccp-action-app-im

class type inspect ccp-insp-traffic

  inspect

class type inspect ccp-sip-inspect

  inspect

class type inspect ccp-h323-inspect

  inspect

class type inspect ccp-h323annexe-inspect

  inspect

class type inspect ccp-h225ras-inspect

  inspect

class type inspect ccp-h323nxg-inspect

  inspect

class type inspect ccp-skinny-inspect

  inspect

class class-default

  drop log

policy-map type inspect ccp-IntoDmz

class class-default

  pass

policy-map type inspect ccp-DMZtoIn

class class-default

  pass

policy-map type inspect ccp-permit

class type inspect SDM_VPN_PT

  pass log

class type inspect DD_PPTP

  pass log

class type inspect ccp-sip-inspect

  inspect

class type inspect ccp-h323-inspect

  inspect

class type inspect ccp-h323annexe-inspect

  inspect

class type inspect ccp-cls-icmp-access-1

  inspect

class type inspect ccp-h225ras-inspect

  inspect

class type inspect ccp-h323nxg-inspect

  inspect

class type inspect ccp-skinny-inspect

  inspect

class class-default

  drop log

policy-map type inspect ccp-outToDMZ

class type inspect sdm-cls-VPNOutsideToInside-2

  pass

class class-default

  pass

policy-map type inspect ccp-policy-ccp-cls--1

class class-default

  pass log

policy-map type inspect ccl-pol-outToIn

class type inspect sdm-cls-VPNOutsideToInside-9

policy-map type inspect ccp-pol-outToIn

class type inspect ccp-cls-ccp-pol-outToIn-1

  inspect

class type inspect ccp-cls-ccp-pol-outToIn-3

  inspect

class type inspect ccp-cls-ccp-pol-outToIn-5

  inspect

class type inspect ccp-cls-ccp-pol-outToIn-6

  inspect

class type inspect ccp-cls-ccp-pol-outToIn-4

  inspect

class type inspect ccp-cls-ccp-pol-outToIn-2

  inspect

class type inspect ccp-cls-ccp-pol-outToIn-7

  inspect

class type inspect CCP_PPTP

  pass

class type inspect sdm-cls-VPNOutsideToInside-1

  pass

class class-default

  drop log

policy-map type inspect ccp-DMZToOut

class class-default

  pass

!

zone security dmz-zone

zone security out-zone

zone security in-zone

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone

service-policy type inspect ccp-pol-outToIn

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

zone-pair security ccp-zp-outToDMZ source out-zone destination dmz-zone

service-policy type inspect ccp-outToDMZ

zone-pair security ccp-zp-DMZtoOut source dmz-zone destination out-zone

service-policy type inspect ccp-DMZToOut

zone-pair security ccp-zp-DMZtoIN source dmz-zone destination in-zone

service-policy type inspect ccp-DMZtoIn

zone-pair security ccp-zp-InToDMZ source in-zone destination dmz-zone

service-policy type inspect ccp-IntoDmz

!

crypto logging ezvpn

crypto ctcp port 10000

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key xxx address 75.xx.xx.41

crypto isakmp keepalive 30

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to75.xx.xx.41

set peer 75.xx.xx.41

set transform-set ESP-3DES-SHA1

match address 101

!

!

!

!

!

interface FastEthernet0

description Mgmt Interface

no ip address

!

interface FastEthernet1

description Corp Interface

switchport access vlan 50

no ip address

!

interface FastEthernet2

description VOIP Interface

switchport access vlan 23

no ip address

!

interface FastEthernet3

description TestNet Interface

switchport access vlan 99

no ip address

!

interface FastEthernet4

description DMZ Interface

switchport access vlan 59

no ip address

!

interface FastEthernet5

switchport access vlan 5

no ip address

shutdown

!

interface FastEthernet6

no ip address

shutdown

!

interface FastEthernet7

no ip address

shutdown

!

interface FastEthernet8

no ip address

shutdown

duplex auto

speed auto

!

interface Virtual-Template1

ip unnumbered FastEthernet1

peer default ip address pool SDM_POOL_1

no keepalive

ppp encrypt mppe 128

ppp authentication ms-chap ms-chap-v2

!

interface GigabitEthernet0

description Internet Access$ETH-WAN$$FW_OUTSIDE$

ip address 98.xx.xx.27 255.255.255.240 secondary

ip address 98.xx.xx.28 255.255.255.240 secondary

ip address 98.xx.xx.29 255.255.255.240 secondary

ip address 98.xx.xx.20 255.255.255.240 secondary

ip address 98.xx.xx.19 255.255.255.240 secondary

ip address 98.xx.xx.22 255.255.255.240 secondary

ip address 98.xx.xx.23 255.255.255.240 secondary

ip address 98.xx.xx.30 255.255.255.240 secondary

ip address 98.xx.xx.26 255.255.255.0 secondary

ip address 98.xx.xx.25 255.255.255.240

ip nat outside

ip virtual-reassembly in

zone-member security out-zone

duplex auto

speed auto

crypto map SDM_CMAP_1

!

interface Vlan1

description Mgmt Vlan$ETH-SW-LAUNCH$$INTF-INFO-FE 1$$FW_INSIDE$

ip address 10.10.10.1 255.255.255.224

ip access-group 103 in

ip virtual-reassembly in

zone-member security in-zone

ip tcp adjust-mss 1452

!

interface Vlan23

description VOIP VLAN$FW_INSIDE$

ip address 192.168.23.2 255.255.255.0

ip nat inside

ip virtual-reassembly in

zone-member security in-zone

!

interface Vlan50

description Corp VLAN$FW_INSIDE$

ip address 192.168.50.1 255.255.255.0 secondary

ip address 192.168.50.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

zone-member security in-zone

!

interface Vlan59

description DMZ VLAN$FW_DMZ$

ip address 192.168.59.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

zone-member security dmz-zone

!

interface Vlan99

description TestNet VLAN$FW_INSIDE$

ip address 192.168.99.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

zone-member security in-zone

!

interface Async1

no ip address

encapsulation slip

!

interface GMPLS0

no ip address

shutdown

no fair-queue

no keepalive

!

ip local pool SDM_POOL_1 192.168.50.240 192.168.50.243

ip local pool SDM_POOL_2 192.168.23.250 192.168.23.254

ip forward-protocol nd

!

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0 overload

ip nat inside source static udp 192.168.50.3 53 98.xx.xx.19 53 route-map nonat82 extendable

ip nat inside source static tcp 192.168.50.213 80 98.xx.xx.19 80 route-map nonat82 extendable

ip nat inside source static tcp 192.168.50.213 443 98.xx.xx.19 443 route-map nonat82 extendable

ip nat inside source static 192.168.50.5 98.xx.xx.20 route-map nonat82

ip nat inside source static tcp 192.168.50.82 7227 98.xx.xx.22 7227 route-map nonat82 extendable

ip nat inside source static 192.168.50.182 98.xx.xx.26 route-map nonat82

ip nat inside source static tcp 192.168.59.1 20 98.xx.xx.27 20 route-map nonat82 extendable

ip nat inside source static tcp 192.168.59.1 21 98.xx.xx.27 21 route-map nonat82 extendable

ip nat inside source static tcp 192.168.59.1 80 98.xx.xx.27 80 route-map nonat82 extendable

ip nat inside source static 192.168.50.103 98.xx.xx.29 route-map nonat82

ip nat inside source static tcp 192.168.50.8 80 98.xx.xx.30 80 route-map nonat82 extendable

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0 98.xx.xx.17 permanent

ip route 192.168.102.0 255.255.255.0 192.168.102.1

!

ip access-list extended BOTHexchange

remark CCP_ACL Category=128

permit ip any object-group INT_aamex10

ip access-list extended CMUBroadcast

remark CCP_ACL Category=128

permit ip host 128.2.118.38 any

ip access-list extended CertificateTraffic

remark CCP_ACL Category=128

permit ip any object-group WSUS/CertServer

ip access-list extended ExchangeNonSMTPTraffic

remark CCP_ACL Category=128

permit ip any object-group BOTHexchange

ip access-list extended INT_Matrix

remark CCP_ACL Category=128

permit ip any object-group INT_matrix

ip access-list extended INT_forums

remark CCP_ACL Category=128

permit ip any object-group INT_forums

ip access-list extended ManufNexus

remark CCP_ACL Category=128

permit ip any object-group Manuf-Nexus

ip access-list extended NAMESERVERS

remark CCP_ACL Category=128

permit ip any object-group BothNAMESERVERS

ip access-list extended SDM_AH

remark CCP_ACL Category=1

permit ahp any any

ip access-list extended SDM_ESP

remark CCP_ACL Category=1

permit esp any any

ip access-list extended SDM_GRE

remark CCP_ACL Category=1

permit gre any any

permit esp any any

permit tcp any any eq 1723

permit udp any any eq isakmp

ip access-list extended SMPTTrustedTraffic

remark CCP_ACL Category=128

permit ip object-group SMTP_Trusted object-group BOTHexchange

ip access-list extended SMTPS

remark CCP_ACL Category=1

permit ip any object-group BOTHexchange

ip access-list extended local-dmz-traffic

remark CCP_ACL Category=128

permit ip object-group AllLANs any

!

logging trap debugging

logging 10.10.10.1

logging 192.168.50.150

access-list 23 remark Cisco HTTP access

access-list 23 remark CCP_ACL Category=17

access-list 23 permit 192.168.50.0 0.0.0.255

access-list 23 permit 10.10.10.0 0.0.0.31

access-list 23 permit 10.10.10.0 0.0.0.7

access-list 100 remark CCP_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip 192.168.59.0 0.0.0.255 any

access-list 100 permit ip 98.xx.xx.16 0.0.0.15 any

access-list 101 remark CCP_ACL Category=4

access-list 101 remark IPSec Rule

access-list 101 permit ip 10.10.10.0 0.0.0.31 192.168.102.0 0.0.0.255

access-list 101 remark IPSec Rule

access-list 101 permit icmp 10.10.10.0 0.0.0.31 192.168.102.0 0.0.0.255

access-list 101 remark IPSec Rule

access-list 101 permit tcp 10.10.10.0 0.0.0.31 192.168.102.0 0.0.0.255

access-list 101 remark IPSec Rule

access-list 101 permit udp 10.10.10.0 0.0.0.31 192.168.102.0 0.0.0.255

access-list 101 remark IPSec Rule

access-list 101 permit ip 192.168.50.0 0.0.0.255 192.168.55.0 0.0.0.255

access-list 101 remark IPSec Rule

access-list 101 permit icmp 192.168.50.0 0.0.0.255 192.168.55.0 0.0.0.255

access-list 101 remark IPSec Rule

access-list 101 permit udp 192.168.50.0 0.0.0.255 192.168.55.0 0.0.0.255

access-list 101 remark IPSec Rule

access-list 101 permit tcp 192.168.50.0 0.0.0.255 192.168.55.0 0.0.0.255

access-list 101 remark IPSec Rule

access-list 101 permit tcp 192.168.99.0 0.0.0.255 192.168.55.0 0.0.0.255

access-list 101 remark IPSec Rule

access-list 101 permit udp 192.168.99.0 0.0.0.255 192.168.55.0 0.0.0.255

access-list 101 remark IPSec Rule

access-list 101 permit icmp 192.168.99.0 0.0.0.255 192.168.55.0 0.0.0.255

access-list 101 remark IPSec Rule

access-list 101 permit ip 192.168.99.0 0.0.0.255 192.168.55.0 0.0.0.255

access-list 101 remark IPSec Rule

access-list 101 permit ip 192.168.59.0 0.0.0.255 192.168.55.0 0.0.0.255

access-list 101 remark IPSec Rule

access-list 101 permit icmp 192.168.59.0 0.0.0.255 192.168.55.0 0.0.0.255

access-list 101 remark IPSec Rule

access-list 101 permit udp 192.168.59.0 0.0.0.255 192.168.55.0 0.0.0.255

access-list 101 remark IPSec Rule

access-list 101 permit tcp 192.168.59.0 0.0.0.255 192.168.55.0 0.0.0.255

access-list 102 remark CCP_ACL Category=128

access-list 102 permit ip host 75.xx.xx.41 any

access-list 102 permit ip 192.168.102.0 0.0.0.255 any

access-list 103 remark Auto generated by SDM Management Access feature

access-list 103 remark CCP_ACL Category=1

access-list 103 permit tcp 10.10.10.0 0.0.0.31 host 10.10.10.1 eq telnet

access-list 103 permit tcp 10.10.10.0 0.0.0.31 host 10.10.10.1 eq 22

access-list 103 permit tcp 10.10.10.0 0.0.0.31 host 10.10.10.1 eq www

access-list 103 permit tcp 10.10.10.0 0.0.0.31 host 10.10.10.1 eq 443

access-list 103 permit tcp 10.10.10.0 0.0.0.31 host 10.10.10.1 eq cmd

access-list 103 permit udp 10.10.10.0 0.0.0.31 host 10.10.10.1 eq snmp

access-list 103 deny   tcp any host 10.10.10.1 eq telnet

access-list 103 deny   tcp any host 10.10.10.1 eq 22

access-list 103 deny   tcp any host 10.10.10.1 eq www

access-list 103 deny   tcp any host 10.10.10.1 eq 443

access-list 103 deny   tcp any host 10.10.10.1 eq cmd

access-list 103 deny   udp any host 10.10.10.1 eq snmp

access-list 103 permit ip any any

access-list 104 remark CCP_ACL Category=1

access-list 104 permit ip 192.168.50.0 0.0.0.255 any

access-list 104 permit ip 10.10.10.0 0.0.0.31 any

access-list 104 permit ip 10.10.10.0 0.0.0.7 any

access-list 105 remark CCP_ACL Category=1

access-list 105 permit ip 192.168.50.0 0.0.0.255 any

access-list 105 permit ip 10.10.10.0 0.0.0.31 any

access-list 105 permit ip 10.10.10.0 0.0.0.7 any

access-list 106 remark CCP_ACL Category=0

access-list 106 permit ip any host 192.168.59.1

access-list 107 remark CCP_ACL Category=0

access-list 107 permit ip 192.168.102.0 0.0.0.255 10.10.10.0 0.0.0.31

access-list 107 permit icmp 192.168.102.0 0.0.0.255 10.10.10.0 0.0.0.31

access-list 107 permit tcp 192.168.102.0 0.0.0.255 10.10.10.0 0.0.0.31

access-list 107 permit udp 192.168.102.0 0.0.0.255 10.10.10.0 0.0.0.31

access-list 107 permit ip 192.168.55.0 0.0.0.255 192.168.50.0 0.0.0.255

access-list 107 permit icmp 192.168.55.0 0.0.0.255 192.168.50.0 0.0.0.255

access-list 107 permit udp 192.168.55.0 0.0.0.255 192.168.50.0 0.0.0.255

access-list 107 permit tcp 192.168.55.0 0.0.0.255 192.168.50.0 0.0.0.255

access-list 107 permit tcp 192.168.55.0 0.0.0.255 192.168.99.0 0.0.0.255

access-list 107 permit udp 192.168.55.0 0.0.0.255 192.168.99.0 0.0.0.255

access-list 107 permit icmp 192.168.55.0 0.0.0.255 192.168.99.0 0.0.0.255

access-list 107 permit ip 192.168.55.0 0.0.0.255 192.168.99.0 0.0.0.255

access-list 107 permit ip 192.168.55.0 0.0.0.255 192.168.59.0 0.0.0.255

access-list 107 permit icmp 192.168.55.0 0.0.0.255 192.168.59.0 0.0.0.255

access-list 107 permit udp 192.168.55.0 0.0.0.255 192.168.59.0 0.0.0.255

access-list 107 permit tcp 192.168.55.0 0.0.0.255 192.168.59.0 0.0.0.255

access-list 109 remark CCP_ACL Category=128

access-list 109 permit ip any any

access-list 109 permit ip host 98.21.114.149 any

access-list 110 remark CCP_ACL Category=0

access-list 110 permit ip 192.168.53.0 0.0.0.255 any

access-list 110 permit ip 192.168.212.0 0.0.0.255 any

access-list 110 permit ip 192.168.55.0 0.0.0.255 any

access-list 110 permit ip 192.168.50.0 0.0.0.255 any

access-list 113 remark CCP_ACL Category=2

access-list 113 remark IPSec Rule

access-list 113 deny   tcp 192.168.59.0 0.0.0.255 192.168.55.0 0.0.0.255

access-list 113 remark IPSec Rule

access-list 113 deny   udp 192.168.59.0 0.0.0.255 192.168.55.0 0.0.0.255

access-list 113 remark IPSec Rule

access-list 113 deny   icmp 192.168.59.0 0.0.0.255 192.168.55.0 0.0.0.255

access-list 113 remark IPSec Rule

access-list 113 deny   ip 192.168.59.0 0.0.0.255 192.168.55.0 0.0.0.255

access-list 113 remark IPSec Rule

access-list 113 deny   ip 192.168.99.0 0.0.0.255 192.168.55.0 0.0.0.255

access-list 113 remark IPSec Rule

access-list 113 deny   icmp 192.168.99.0 0.0.0.255 192.168.55.0 0.0.0.255

access-list 113 remark IPSec Rule

access-list 113 deny   udp 192.168.99.0 0.0.0.255 192.168.55.0 0.0.0.255

access-list 113 remark IPSec Rule

access-list 113 deny   tcp 192.168.99.0 0.0.0.255 192.168.55.0 0.0.0.255

access-list 113 remark IPSec Rule

access-list 113 deny   tcp 192.168.50.0 0.0.0.255 192.168.55.0 0.0.0.255

access-list 113 remark IPSec Rule

access-list 113 deny   udp 192.168.50.0 0.0.0.255 192.168.55.0 0.0.0.255

access-list 113 remark IPSec Rule

access-list 113 deny   icmp 192.168.50.0 0.0.0.255 192.168.55.0 0.0.0.255

access-list 113 remark IPSec Rule

access-list 113 deny   ip 192.168.50.0 0.0.0.255 192.168.55.0 0.0.0.255

access-list 113 remark IPSec Rule

access-list 113 deny   udp 10.10.10.0 0.0.0.31 192.168.102.0 0.0.0.255

access-list 113 remark IPSec Rule

access-list 113 deny   tcp 10.10.10.0 0.0.0.31 192.168.102.0 0.0.0.255

access-list 113 remark IPSec Rule

access-list 113 deny   icmp 10.10.10.0 0.0.0.31 192.168.102.0 0.0.0.255

access-list 113 remark IPSec Rule

access-list 113 deny   ip 10.10.10.0 0.0.0.31 192.168.102.0 0.0.0.255

access-list 113 permit ip 192.168.50.0 0.0.0.255 any

access-list 113 permit ip 192.168.59.0 0.0.0.255 any

access-list 113 permit ip 192.168.23.0 0.0.0.255 any

access-list 113 permit ip 192.168.99.0 0.0.0.255 any

access-list 114 remark CCP_ACL Category=128

access-list 114 permit ip host 98.xx.114.149 any

access-list 115 remark CCP_ACL Category=0

access-list 115 permit ip any host 98.xx.xx.1

access-list 116 remark CCP_ACL Category=1

access-list 116 permit tcp any any eq 10000

access-list 117 remark CCP_ACL Category=2

access-list 117 remark IPSec Rule

access-list 117 deny   udp 10.10.10.0 0.0.0.31 192.168.102.0 0.0.0.255

access-list 117 remark IPSec Rule

access-list 117 deny   tcp 10.10.10.0 0.0.0.31 192.168.102.0 0.0.0.255

access-list 117 remark IPSec Rule

access-list 117 deny   icmp 10.10.10.0 0.0.0.31 192.168.102.0 0.0.0.255

access-list 117 remark IPSec Rule

access-list 117 deny   ip 10.10.10.0 0.0.0.31 192.168.102.0 0.0.0.255

access-list 117 permit ip 192.168.23.0 0.0.0.255 any

access-list 117 permit ip 10.10.10.0 0.0.0.31 any

access-list 118 remark CCP_ACL Category=0

access-list 118 permit ip any object-group RemoteApp

access-list 122 remark CCP_ACL Category=0

access-list 122 permit ip 192.168.102.0 0.0.0.255 10.10.10.0 0.0.0.31

access-list 122 permit icmp 192.168.102.0 0.0.0.255 10.10.10.0 0.0.0.31

access-list 122 permit tcp 192.168.102.0 0.0.0.255 10.10.10.0 0.0.0.31

access-list 122 permit udp 192.168.102.0 0.0.0.255 10.10.10.0 0.0.0.31

access-list 122 permit ip 192.168.55.0 0.0.0.255 192.168.50.0 0.0.0.255

access-list 122 permit icmp 192.168.55.0 0.0.0.255 192.168.50.0 0.0.0.255

access-list 122 permit udp 192.168.55.0 0.0.0.255 192.168.50.0 0.0.0.255

access-list 122 permit tcp 192.168.55.0 0.0.0.255 192.168.50.0 0.0.0.255

access-list 122 permit tcp 192.168.55.0 0.0.0.255 192.168.99.0 0.0.0.255

access-list 122 permit udp 192.168.55.0 0.0.0.255 192.168.99.0 0.0.0.255

access-list 122 permit icmp 192.168.55.0 0.0.0.255 192.168.99.0 0.0.0.255

access-list 122 permit ip 192.168.55.0 0.0.0.255 192.168.99.0 0.0.0.255

access-list 123 remark CCP_ACL Category=18

access-list 123 deny   ip 192.168.50.0 0.0.0.255 192.168.55.0 0.0.0.255

access-list 123 permit ip 192.168.50.0 0.0.0.255 any

access-list 199 permit icmp any any

dialer-list 1 protocol ip permit

no cdp run

!

!

!

!

route-map SDM_RMAP_1 permit 1

match ip address 113

!

route-map SDM_RMAP_3 permit 1

match ip address 117

!

route-map nonat82 permit 10

match ip address 123

!

!

!

!

!

control-plane

!

!

!

!

mgcp profile default

!

!

!

!

line con 0

line 1

modem InOut

stopbits 1

speed 115200

flowcontrol hardware

line aux 0

line vty 0 4

access-class 105 in

password *

transport input telnet ssh

line vty 5 15

access-class 104 in

password *

transport input telnet ssh

!

ntp update-calendar

ntp server 0.us.pool.ntp.org prefer

end

215
Views
0
Helpful
0
Replies
CreatePlease to create content