04-10-2012 08:38 AM
I have an IPSEC VPN across a satellite connection. My satellite provider provides TCP acceleration from both ends to make the experience better, which it does for most traffic. However, with my IPSEC VPN (router on my end and pix on the other), the traffic is encrypted in UDP 500 traffic so the TCP headers are never seen and can't be accelerated. My thoughts on this is to use IPSEC over TCP, much like some people do when NAT comes into play or some weird firewall. Would this work? If I configure my 2811 to use IPSEC over TCP (isakmp ctcp port 45 or something similar), then the TCP acceleration would be able to do it's job. My only fear is the PIX 515e on the other end of the tunnel won't support this feature. Any help is appreciated.
04-11-2012 11:29 AM
Did you try with IPsec over TCP enabled?
Please try if first without this feature enabled.
Which device is acting as the server and which as the client?
Thanks.
04-11-2012 11:53 AM
No, I turned it on and then turned off the crypto map command and left the client one in there. I am watching my PIX log (pix is server and 2811 is client) and Phase 1 completes, but Phase 2 doesn't. Now I'm stuck because the remote end lost connectivity and I don't have anyone there to get in right now. Any ideas of what I missed?
04-11-2012 12:00 PM
We would need the configuration of both units to identify the issue.
Please share that information.
Thanks.
04-11-2012 12:01 PM
Will do.
04-11-2012 01:20 PM
OK, attached are the configs. I left both versions of IPSEC on the 2811 so that I could still remote in. Again, the PIX logs show that Phase 1 completes, but then Phase 2 never completes.
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2012.04.11 12:12:43 =~=~=~=~=~=~=~=~=~=~=~=
show run
Building configuration...
Current configuration : 12673 bytes
!
! Last configuration change at 19:12:30 UTC Wed Apr 11 2012 by craigrobertlee
! NVRAM config last updated at 19:12:25 UTC Wed Apr 11 2012 by craigrobertlee
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname craig_afg_router
!
boot-start-marker
boot system flash:c2800nm-adventerprisek9_ivs-mz.124-24.T7.bin
boot-end-marker
!
logging message-counter syslog
logging buffered 4096
no logging console
enable secret 5 XXXXXXXX
!
no aaa new-model
!
!
!
dot11 syslog
ip source-route
!
!
ip cef
!
ip dhcp pool DATA
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
option 150 ip 192.168.11.1
dns-server 109.235.205.49 109.235.204.7
!
ip dhcp pool VOICE_LAN
network 192.168.11.0 255.255.255.0
default-router 192.168.11.1
option 150 ip 192.168.11.1
!
!
ip domain name craig.net
ip inspect name FW tcp
ip inspect name FW udp
ip inspect name FW bittorrent
ip inspect name FW http
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
voice service voip
allow-connections h323 to h323
fax protocol cisco
h323
sip
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
dspfarm
dsp services dspfarm
!
!
!
username craigrobertlee privilege 15 password 7 XXXXXXXXXXX
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key XXXXXXXX address 68.0.184.178 no-xauth
!
!
crypto ipsec transform-set SET1 esp-3des esp-md5-hmac
crypto ipsec transform-set SET2 esp-3des esp-sha-hmac
crypto ipsec transform-set SET3 esp-aes esp-sha-hmac
crypto ipsec transform-set SET4 esp-3des esp-md5-hmac comp-lzs
!
crypto ipsec client ezvpn VPN1
connect auto
group afghanclient key XXXXXXX
mode network-extension
username afghanrouter password XXXXXXXX
xauth userid mode local
!
!
crypto map ipsec-maps 10 ipsec-isakmp
set peer 68.0.X.X
set security-association idle-time 60
set transform-set SET1
match address 102
qos pre-classify
!
crypto ctcp port 10000
archive
log config
hidekeys
!
!
ip ssh time-out 60
ip ssh source-interface Vlan1
ip ssh rsa keypair-name craigkey
ip ssh version 2
!
class-map match-any WEB_BROWSERS
match protocol dns
match protocol secure-http
class-map match-all TORRENTS
match protocol bittorrent
match protocol edonkey
match protocol directconnect
match protocol fasttrack
match protocol gnutella
match protocol kazaa2
class-map match-any packet-40
match packet length min 40 max 89
class-map match-any packet-90
match packet length min 90 max 159
class-map match-any VOIP_PHONES
match protocol rtp
match dscp ef
match access-group 103
class-map match-any VOIP_SOFTWARE
match protocol h323
match protocol skype
class-map match-any DOWNLOADERS
match protocol ftp
match protocol secure-ftp
!
!
policy-map PRIORITIZE_PROTOCOLS
class VOIP_PHONES
bandwidth percent 28
class VOIP_SOFTWARE
bandwidth percent 20
class WEB_BROWSERS
bandwidth percent 50
class DOWNLOADERS
bandwidth percent 1
set dscp cs1
class TORRENTS
drop
class class-default
fair-queue
policy-map POLICE
class class-default
shape average 200000 220000 0
service-policy PRIORITIZE_PROTOCOLS
!
!
!
!
!
interface FastEthernet0/0
description Link to SAT Modem
bandwidth 240
bandwidth receive 900
ip address 109.235.X.X 255.255.255.252
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip inspect FW out
no ip virtual-reassembly
load-interval 30
duplex auto
speed auto
crypto map ipsec-maps
crypto ipsec client ezvpn VPN1
service-policy output POLICE
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1/0
description Trunk to Switch
switchport mode trunk
load-interval 30
!
interface FastEthernet0/1/1
description David Gray/Javier Aanonsen
switchport voice vlan 11
load-interval 30
spanning-tree portfast
!
interface FastEthernet0/1/2
description Wireless Router
switchport voice vlan 11
!
interface FastEthernet0/1/3
description Craig
switchport voice vlan 11
!
interface FastEthernet0/1/4
description Thomas Coulbourne
switchport voice vlan 11
shutdown
!
interface FastEthernet0/1/5
description Keith Sifford
switchport voice vlan 11
!
interface FastEthernet0/1/6
description Joe Jordan
switchport voice vlan 11
!
interface FastEthernet0/1/7
description Rene Mendez
switchport voice vlan 11
shutdown
!
interface FastEthernet0/1/8
description Wayne Bradley
switchport voice vlan 11
shutdown
!
interface GigabitEthernet0/2/0
no ip address
shutdown
negotiation auto
!
interface Vlan1
description DATA VLAN
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip inspect FW in
no ip virtual-reassembly
crypto ipsec client ezvpn VPN1 inside
!
interface Vlan11
description VOICE LAN
ip address 192.168.11.1 255.255.255.0
ip nat inside
no ip virtual-reassembly
h323-gateway voip bind srcaddr 192.168.11.1
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 109.235.205.49
no ip http server
no ip http secure-server
!
ip flow-cache timeout active 5
ip flow-export version 5
ip flow-export destination 192.168.1.10 2055
ip flow-export destination 192.168.10.36 2055
!
ip nat inside source route-map nonat interface FastEthernet0/0 overload
!
access-list 5 remark SSH_ACL
access-list 5 permit 192.168.10.0 0.0.0.255
access-list 5 permit 192.168.0.0 0.0.3.255
access-list 6 permit 192.168.1.10
access-list 6 remark SNMP
access-list 6 permit 192.168.10.0 0.0.0.255
access-list 101 remark NO_NAT
access-list 101 deny ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 deny ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 deny ip 192.168.11.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 deny ip 192.168.11.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.10.0 0.0.0.255 any
access-list 101 permit ip 192.168.11.0 0.0.0.255 any
access-list 102 remark CRAIG_HOME_VPN
access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 102 permit ip 192.168.11.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 permit ip 192.168.11.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 103 permit ip 192.168.11.0 0.0.0.255 any
!
!
!
!
route-map nonat permit 10
match ip address 101
!
!
snmp-server community CRAIGNET RW 6
snmp-server trap-source Vlan1
snmp-server source-interface informs Vlan1
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps vrrp
snmp-server enable traps ds1
snmp-server enable traps gatekeeper
snmp-server enable traps tty
snmp-server enable traps eigrp
snmp-server enable traps xgcp
snmp-server enable traps flash insertion removal
snmp-server enable traps adslline
snmp-server enable traps ds3
snmp-server enable traps envmon
snmp-server enable traps icsudsu
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps isdn ietf
snmp-server enable traps ds0-busyout
snmp-server enable traps ds1-loopback
snmp-server enable traps ethernet cfm cc mep-up mep-down cross-connect loop config
snmp-server enable traps ethernet cfm crosscheck mep-missing mep-unknown service-up
snmp-server enable traps license
snmp-server enable traps disassociate
snmp-server enable traps deauthenticate
snmp-server enable traps authenticate-fail
snmp-server enable traps dot11-qos
snmp-server enable traps switch-over
snmp-server enable traps rogue-ap
snmp-server enable traps wlan-wep
snmp-server enable traps aaa_server
snmp-server enable traps atm subif
snmp-server enable traps bgp
snmp-server enable traps bstun
snmp-server enable traps bulkstat collection transfer
snmp-server enable traps cef resource-failure peer-state-change peer-fib-state-change inconsistency
snmp-server enable traps memory bufferpeak
snmp-server enable traps cnpd
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps config-ctid
snmp-server enable traps dial
snmp-server enable traps dlsw
snmp-server enable traps dsp card-status
snmp-server enable traps dsp oper-state
snmp-server enable traps entity
snmp-server enable traps fru-ctrl
snmp-server enable traps resource-policy
snmp-server enable traps frame-relay multilink bundle-mismatch
snmp-server enable traps frame-relay
snmp-server enable traps frame-relay subif
snmp-server enable traps hsrp
snmp-server enable traps ipmobile
snmp-server enable traps ipmulticast
snmp-server enable traps mpls ldp
snmp-server enable traps mpls traffic-eng
snmp-server enable traps mpls fast-reroute protected
snmp-server enable traps msdp
snmp-server enable traps mvpn
snmp-server enable traps ospf state-change
snmp-server enable traps ospf errors
snmp-server enable traps ospf retransmit
snmp-server enable traps ospf lsa
snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
snmp-server enable traps ospf cisco-specific state-change shamlink interface-old
snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
snmp-server enable traps ospf cisco-specific errors
snmp-server enable traps ospf cisco-specific retransmit
snmp-server enable traps ospf cisco-specific lsa
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps pppoe
snmp-server enable traps cpu threshold
snmp-server enable traps rsvp
snmp-server enable traps ipsla
snmp-server enable traps stun
snmp-server enable traps syslog
snmp-server enable traps l2tun session
snmp-server enable traps l2tun pseudowire status
snmp-server enable traps vtp
snmp-server enable traps pw vc
snmp-server enable traps event-manager
snmp-server enable traps firewall serverstatus
snmp-server enable traps rf
snmp-server enable traps isakmp policy add
snmp-server enable traps isakmp policy delete
snmp-server enable traps isakmp tunnel start
snmp-server enable traps isakmp tunnel stop
snmp-server enable traps ipsec cryptomap add
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
snmp-server enable traps ipsec too-many-sas
snmp-server enable traps ccme
snmp-server enable traps srst
snmp-server enable traps mpls vpn
snmp-server enable traps voice
snmp-server enable traps dnis
snmp-server host 192.168.1.10 version 2c CRAIGNET
!
control-plane
!
!
!
!
!
!
dspfarm profile 20 transcode
codec g711ulaw
codec g711alaw
codec g729ar8
codec g729abr8
maximum sessions 4
!
!
dial-peer voice 1 voip
description 11 Digit Dialing
destination-pattern 1[2-9].........
session target ipv4:192.168.2.5
dtmf-relay h245-alphanumeric
no vad
!
dial-peer voice 2 voip
description 10 Digit Dialing
destination-pattern [2-9].........
session target ipv4:192.168.2.5
dtmf-relay h245-alphanumeric
no vad
!
dial-peer voice 3 voip
destination-pattern 10..
session target ipv4:192.168.2.5
dtmf-relay h245-alphanumeric
no vad
!
dial-peer voice 4 voip
incoming called-number .
dtmf-relay h245-alphanumeric
no vad
!
dial-peer voice 5 voip
description International Dialing
destination-pattern 9800*
session target ipv4:192.168.2.5
dtmf-relay h245-alphanumeric
no vad
!
!
!
!
gatekeeper
shutdown
!
!
telephony-service
video
max-ephones 10
max-dn 10
ip source-address 192.168.11.1 port 2000
auto assign 1 to 1
service phone VideoCapability 1
service phone videoCapability 1
max-conferences 8 gain -6
transfer-system full-consult
create cnf-files version-stamp 7960 Mar 09 2012 00:47:38
!
!
ephone-dn 1 dual-line
number 2001
!
!
ephone-dn 2 dual-line
number 2002
!
!
ephone-dn 3 dual-line
number 2003
!
!
ephone 1
no phone-ui speeddial-fastdial
no phone-ui snr
no multicast-moh
device-security-mode none
video
mac-address 0019.E89A.834F
codec g729r8
type 7911
!
!
!
ephone 2
device-security-mode none
video
mac-address B8AC.6F79.3677
codec g729r8
type CIPC
button 1:2
!
!
!
ephone 3
device-security-mode none
mac-address 0019.E89A.8E4F
codec g729r8
type 7911
button 1:1
!
!
!
ephone 4
device-security-mode none
video
mac-address 001F.166B.89D3
codec g729r8
type CIPC
button 1:3
!
!
!
line con 0
exec-timeout 0 0
login local
line aux 0
line vty 0 4
access-class 5 in
login local
transport input ssh
line vty 5 15
login
no exec
!
scheduler allocate 20000 1000
ntp server 192.43.244.18
end
craig_afg_router#exit
04-11-2012 01:20 PM
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2012.04.11 12:38:43 =~=~=~=~=~=~=~=~=~=~=~=
show run
: Saved
:
PIX Version 8.0(4)28
!
hostname 10
domain-name dyndns-at-home.com
enable XXXXXX encrypted
passwd XXXXXX encrypted
names
name 192.168.3.0 WIFI_LAN
!
interface Ethernet0
nameif outside
security-level 0
ip address 192.168.0.2 255.255.255.252
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.128
!
interface Ethernet1.2
vlan 2
nameif VLAN2
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet1.3
vlan 3
nameif VLAN3
security-level 100
ip address 192.168.1.253 255.255.255.252
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
dns server-group DefaultDNS
domain-name dyndns-at-home.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service radius udp
port-object range 1812 1813
object-group service DM_INLINE_UDP_1 udp
port-object eq snmp
port-object eq snmptrap
object-group network DM_INLINE_NETWORK_2
network-object 192.168.1.0 255.255.255.0
network-object 192.168.2.0 255.255.255.0
object-group network DM_INLINE_NETWORK_4
network-object 192.168.10.0 255.255.255.0
network-object 192.168.11.0 255.255.255.0
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit udp host 192.168.0.1 host 192.168.1.126 range 1812 1813
access-list outside_access_in extended permit udp host 192.168.0.5 host 192.168.1.10 object-group DM_INLINE_UDP_1
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit tcp any any
access-list inside_access_in extended permit udp any any
access-list VLAN2_access_in extended permit icmp any any
access-list VLAN2_access_in extended permit tcp any any
access-list VLAN2_access_in extended permit udp any any
access-list vpnclient_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0
access-list vpnclient_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list vpnclient_splitTunnelAcl standard permit WIFI_LAN 255.255.255.0
access-list vpnclient_splitTunnelAcl standard permit 192.168.15.0 255.255.255.0
access-list vpnclient_splitTunnelAcl standard permit 192.168.16.0 255.255.255.0
access-list vpnclient_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0
access-list vpnclient_splitTunnelAcl standard permit 192.168.11.0 255.255.255.0
access-list voice_client_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.0.0 255.255.252.0 192.168.16.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.252.0 192.168.16.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.252.0 192.168.15.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.128 192.168.2.96 255.255.255.224
access-list outside_2_cryptomap extended permit ip 192.168.0.0 255.255.252.0 192.168.15.0 255.255.255.0
access-list VLAN3_access_in extended permit icmp any any
access-list VLAN3_access_in extended permit tcp any any
access-list VLAN3_access_in extended permit udp any any
access-list VLAN2_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.2.96 255.255.255.224
access-list afghanclient_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0
access-list outside_4_cryptomap extended permit ip object-group DM_INLINE_NETWORK_2 object-group DM_INLINE_NETWORK_4
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu VLAN2 1500
mtu VLAN3 1500
ip local pool vpn_client_pool 192.168.2.101-192.168.2.120 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_nat0_outbound
nat (VLAN2) 0 access-list VLAN2_nat0_outbound
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group VLAN2_access_in in interface VLAN2
access-group VLAN3_access_in in interface VLAN3
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
route VLAN3 WIFI_LAN 255.255.255.0 192.168.1.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 192.168.1.126
key XXXXXXXX
authentication-port 1812
accounting-port 1813
radius-common-pw XXXXXXXX
aaa authentication telnet console RADIUS LOCAL
aaa authentication ssh console RADIUS LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http WIFI_LAN 255.255.255.0 VLAN3
http 192.168.2.0 255.255.255.0 VLAN2
http 192.168.10.0 255.255.255.0 outside
snmp-server host inside 192.168.1.10 community craighome1 version 2c
snmp-server location Home
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
sysopt connection timewait
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 184.179.X.X
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set peer 174.79.X.X
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 4 match address outside_4_cryptomap
crypto map outside_map 4 set peer 109.235.X.X
crypto map outside_map 4 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map VLAN2_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map VLAN2_map interface VLAN2
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp enable VLAN2
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 192.168.2.0 255.255.255.0 VLAN2
ssh 192.168.10.0 255.255.255.0 VLAN2
ssh WIFI_LAN 255.255.255.0 VLAN3
ssh timeout 5
console timeout 0
management-access VLAN2
dhcpd address 192.168.1.50-192.168.1.100 inside
dhcpd dns 8.8.8.8 8.8.8.8 interface inside
dhcpd option 150 ip 192.168.2.5 interface inside
dhcpd option 3 ip 192.168.1.1 interface inside
dhcpd enable inside
!
dhcpd address 192.168.2.100-192.168.2.115 VLAN2
dhcpd dns 8.8.8.8 8.8.4.4 interface VLAN2
dhcpd option 3 ip 192.168.2.1 interface VLAN2
dhcpd option 150 ip 192.168.2.5 interface VLAN2
dhcpd enable VLAN2
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy vpnclient internal
group-policy vpnclient attributes
banner value Welcome to the ATW (Arizona Hub) Network...
dns-server value 192.168.1.252 8.8.8.8
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnclient_splitTunnelAcl
group-policy afghanclient internal
group-policy afghanclient attributes
dns-server value 192.168.1.126
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value afghanclient_splitTunnelAcl
default-domain value craignetwork.net
group-policy voice_client internal
group-policy voice_client attributes
banner value Welcome to the Craig Voice network...
dns-server value 8.8.8.8 8.8.4.4
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value voice_client_splitTunnelAcl
username craigrobertlee password XXXXXX encrypted privilege 15
username jonathan.thiessen password XXXXXXXXXX encrypted
username jonathan.thiessen attributes
vpn-group-policy vpnclient
service-type remote-access
username rene.mendez password XXXXXXx encrypted
username rene.mendez attributes
vpn-group-policy vpnclient
service-type remote-access
username afghanrouter password XXXXXXXXxx encrypted privilege 0
username afghanrouter attributes
vpn-group-policy afghanclient
tunnel-group vpnclient type remote-access
tunnel-group vpnclient general-attributes
address-pool vpn_client_pool
authentication-server-group RADIUS LOCAL
default-group-policy vpnclient
tunnel-group vpnclient ipsec-attributes
pre-shared-key *
tunnel-group 184.179.X.X type ipsec-l2l
tunnel-group 184.179.X.X ipsec-attributes
pre-shared-key *
peer-id-validate nocheck
isakmp keepalive disable
tunnel-group 174.79.X.X type ipsec-l2l
tunnel-group 174.79.X.X ipsec-attributes
pre-shared-key *
tunnel-group voice_client type remote-access
tunnel-group voice_client general-attributes
address-pool vpn_client_pool
default-group-policy voice_client
tunnel-group voice_client ipsec-attributes
pre-shared-key *
tunnel-group afghanclient type remote-access
tunnel-group afghanclient general-attributes
address-pool vpn_client_pool
default-group-policy afghanclient
tunnel-group afghanclient ipsec-attributes
pre-shared-key *
tunnel-group 109.235.X.X type ipsec-l2l
tunnel-group 109.235.X.X ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:e36be22e54d44c329a8cbbee6cf07535
: end
04-12-2012 12:07 PM
Did anyone see where I miss something?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide