Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Router and VPN Client for Public Internet on a Stick Configuration

Hi,

I need some help configuring the example on this link:

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a008073b06b.shtml

The example uses the crypto-map method and not the VTI method, and I'm not exactly sure how to implement it in my configuration (attached it)

Also, what does the "set ip next-hop 10.11.0.2" command do exactly in the example? Could not find any reference to that IP, only to 10.11.0.1 (which is the loopback's ip address.)

version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
!
boot-start-marker
boot-end-marker
!
!
logging buffered 52000
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
clock timezone Prague 1 0
clock summer-time Prague date Mar 30 2003 2:00 Oct 26 2003 3:00
!
ip cef
!
!
!
!
!
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
redundancy
!
!
!
!
!
!
crypto keyring ccp-dmvpn-keyring 
  pre-shared-key address 0.0.0.0 0.0.0.0 key *
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr aes 256
authentication pre-share
group 2
!
crypto isakmp client configuration group VPNGRP1
key *
dns 10.50.1.3 10.53.1.3
domain *
pool SDM_POOL_1
acl 100
save-password
netmask 255.255.255.0
crypto isakmp profile ccp-dmvpn-isakmprofile
   keyring ccp-dmvpn-keyring
   match identity address 0.0.0.0
crypto isakmp profile ciscocp-ike-profile-1
   match identity group VPNGRP1
   client authentication list ciscocp_vpn_xauth_ml_1
   isakmp authorization list ciscocp_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac
mode tunnel
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-AES256-SHA
set isakmp-profile ccp-dmvpn-isakmprofile
!
crypto ipsec profile CiscoCP_Profile2
set transform-set ESP-AES256-SHA
set isakmp-profile ciscocp-ike-profile-1
!
!
!
!
!
!
!
interface Tunnel1
bandwidth 1000
ip address 172.16.1.50 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 1
no ip split-horizon eigrp 1
ip nhrp authentication *
ip nhrp map multicast dynamic
ip nhrp network-id 7
ip nhrp holdtime 360
ip tcp adjust-mss 1360
delay 1000
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description $ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/0.1
description $ETH-LAN$
encapsulation dot1Q 501 native
ip address 10.50.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface GigabitEthernet0/0.2
description $ETH-LAN$
encapsulation dot1Q 502
ip address 10.50.2.254 255.255.255.0
!
interface GigabitEthernet0/0.3
description $ETH-LAN$
encapsulation dot1Q 503
ip address 10.50.3.254 255.255.255.0
ip helper-address 10.50.1.3
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/0.4
description $ETH-LAN$
encapsulation dot1Q 504
ip address 10.50.4.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1
description $ETH-LAN$
ip address * 255.255.255.252
ip access-group 151 in
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/0.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile2
!
!
router eigrp 1
network 10.50.1.0 0.0.0.255
network 10.50.2.0 0.0.0.255
network 10.50.3.0 0.0.0.255
network 172.16.1.0 0.0.0.255
!
ip local pool SDM_POOL_1 10.50.2.101 10.50.2.121
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 2 interface GigabitEthernet0/1 overload
ip nat inside source static udp 10.50.3.1 5060 interface GigabitEthernet0/1 5060
ip nat inside source static udp 10.50.3.1 10100 interface GigabitEthernet0/1 10100
ip nat inside source static udp 10.50.3.1 10101 interface GigabitEthernet0/1 10101
ip nat inside source static udp 10.50.3.1 10102 interface GigabitEthernet0/1 10102
ip nat inside source static udp 10.50.3.1 10103 interface GigabitEthernet0/1 10103
ip nat inside source static udp 10.50.3.1 10104 interface GigabitEthernet0/1 10104
ip nat inside source static udp 10.50.3.1 10105 interface GigabitEthernet0/1 10105
ip nat inside source static udp 10.50.3.1 10106 interface GigabitEthernet0/1 10106
ip nat inside source static udp 10.50.3.1 10107 interface GigabitEthernet0/1 10107
ip nat inside source static udp 10.50.3.1 10108 interface GigabitEthernet0/1 10108
ip nat inside source static udp 10.50.3.1 10109 interface GigabitEthernet0/1 10109
ip nat inside source static udp 10.50.3.1 10110 interface GigabitEthernet0/1 10110
ip nat inside source static udp 10.50.3.1 10111 interface GigabitEthernet0/1 10111
ip nat inside source static udp 10.50.3.1 10112 interface GigabitEthernet0/1 10112
ip nat inside source static udp 10.50.3.1 10113 interface GigabitEthernet0/1 10113
ip nat inside source static udp 10.50.3.1 10114 interface GigabitEthernet0/1 10114
ip nat inside source static udp 10.50.3.1 10115 interface GigabitEthernet0/1 10115
ip nat inside source static udp 10.50.3.1 10116 interface GigabitEthernet0/1 10116
ip nat inside source static udp 10.50.3.1 10117 interface GigabitEthernet0/1 10117
ip nat inside source static udp 10.50.3.1 10118 interface GigabitEthernet0/1 10118
ip nat inside source static udp 10.50.3.1 10119 interface GigabitEthernet0/1 10119
ip nat inside source static udp 10.50.3.1 10120 interface GigabitEthernet0/1 10120
ip nat inside source static udp 10.50.3.1 10121 interface GigabitEthernet0/1 10121
ip nat inside source static udp 10.50.3.1 10122 interface GigabitEthernet0/1 10122
ip nat inside source static udp 10.50.3.1 10123 interface GigabitEthernet0/1 10123
ip nat inside source static udp 10.50.3.1 10124 interface GigabitEthernet0/1 10124
ip nat inside source static udp 10.50.3.1 10125 interface GigabitEthernet0/1 10125
ip nat inside source static udp 10.50.3.1 10126 interface GigabitEthernet0/1 10126
ip nat inside source static udp 10.50.3.1 10127 interface GigabitEthernet0/1 10127
ip nat inside source static udp 10.50.3.1 10128 interface GigabitEthernet0/1 10128
ip nat inside source static udp 10.50.3.1 10129 interface GigabitEthernet0/1 10129
ip nat inside source static udp 10.50.3.1 10130 interface GigabitEthernet0/1 10130
ip nat inside source static udp 10.50.3.1 10131 interface GigabitEthernet0/1 10131
ip nat inside source static udp 10.50.3.1 10132 interface GigabitEthernet0/1 10132
ip nat inside source static udp 10.50.3.1 10133 interface GigabitEthernet0/1 10133
ip nat inside source static udp 10.50.3.1 10134 interface GigabitEthernet0/1 10134
ip nat inside source static udp 10.50.3.1 10135 interface GigabitEthernet0/1 10135
ip nat inside source static udp 10.50.3.1 10136 interface GigabitEthernet0/1 10136
ip nat inside source static udp 10.50.3.1 10137 interface GigabitEthernet0/1 10137
ip nat inside source static udp 10.50.3.1 10138 interface GigabitEthernet0/1 10138
ip nat inside source static udp 10.50.3.1 10139 interface GigabitEthernet0/1 10139
ip nat inside source static udp 10.50.3.1 10140 interface GigabitEthernet0/1 10140
ip nat inside source static udp 10.50.3.1 10141 interface GigabitEthernet0/1 10141
ip nat inside source static udp 10.50.3.1 10142 interface GigabitEthernet0/1 10142
ip nat inside source static udp 10.50.3.1 10143 interface GigabitEthernet0/1 10143
ip nat inside source static udp 10.50.3.1 10144 interface GigabitEthernet0/1 10144
ip nat inside source static udp 10.50.3.1 10145 interface GigabitEthernet0/1 10145
ip nat inside source static udp 10.50.3.1 10146 interface GigabitEthernet0/1 10146
ip nat inside source static udp 10.50.3.1 10147 interface GigabitEthernet0/1 10147
ip nat inside source static udp 10.50.3.1 10148 interface GigabitEthernet0/1 10148
ip nat inside source static udp 10.50.3.1 10149 interface GigabitEthernet0/1 10149
ip nat inside source static udp 10.50.3.1 10150 interface GigabitEthernet0/1 10150
ip route 0.0.0.0 0.0.0.0 * permanent
!
access-list 2 remark CCP_ACL Category=2
access-list 2 permit 10.50.3.0 0.0.0.255
access-list 2 permit 10.50.4.0 0.0.0.255
access-list 2 permit 10.50.1.0 0.0.0.255
access-list 23 permit 10.48.0.0 0.15.255.255
access-list 100 remark CCP_ACL Category=4
access-list 100 permit ip 10.50.0.0 0.0.255.255 any
access-list 100 permit ip 10.53.0.0 0.0.255.255 any
access-list 151 permit udp host 109.61.0.6 any eq 5060
access-list 151 deny   udp any any eq 5060
access-list 151 permit ip any any
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 23 in
transport input telnet ssh
line vty 5 15
access-class 23 in
transport input telnet ssh
!
scheduler allocate 20000 1000
!
140
Views
0
Helpful
0
Replies
CreatePlease login to create content