Here's one I did a few months ago. The only thing I wasn't comfortable with
was the access list that has to let the internal IPSec addresses back in,
but I couldn't do it any other way. Does anyone have a better idea? Maybe
it's the only way it can be done.
Steve
Current configuration : 4387 bytes
!
version 12.2
no parser cache
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Chaston
!
logging buffered 4096 debugging
logging rate-limit console 10 except errors
no logging console
enable secret 5
!
memory-size iomem 15
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
!
!
no ip domain-lookup
!
no ip bootp server
ip inspect name STOP smtp
ip inspect name STOP tcp
ip inspect name STOP udp
ip inspect name STOP cuseeme
ip inspect name STOP ftp
ip inspect name STOP h323
ip inspect name STOP rcmd
ip inspect name STOP realaudio
ip inspect name STOP streamworks
ip inspect name STOP vdolive
ip inspect name STOP sqlnet
ip inspect name STOP tftp
ip inspect name GO smtp
ip inspect name GO tcp
ip inspect name GO udp
ip audit notify log
ip audit po max-events 100
ip ssh time-out 120
ip ssh authentication-retries 3
no ip dhcp-client network-discovery
!
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key xx160500 address 0.0.0.0 0.0.0.0
crypto isakmp client configuration address-pool local VPNpool
!
!
crypto ipsec transform-set Strong esp-des esp-md5-hmac
crypto mib ipsec flowmib history tunnel size 200
crypto mib ipsec flowmib history failure size 200
!
crypto dynamic-map dynVPNmap 10
set transform-set Strong
!
!
!
crypto map modecfg client configuration address initiate
crypto map modecfg client configuration address respond
crypto map modecfg 10 ipsec-isakmp dynamic dynVPNmap
!
!
!
!
interface Ethernet0
ip address 255.255.255.252
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
no ip route-cache
no ip mroute-cache
half-duplex
no cdp enable
crypto map modecfg
ip policy route-map nonat
!
interface FastEthernet0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip inspect GO out
ip inspect STOP in
speed auto
no cdp enable
!
ip local pool VPNpool 192.168.100.50 192.168.100.55
ip default-gateway xxx
ip nat pool IntNATpool x xx netmask 255.255.255.252
ip nat inside source route-map rmap pool IntNATpool overload
ip nat inside source static tcp 192.168.1.100 110 110 extendable
ip nat inside source static tcp 192.168.1.100 25 xx 25 extendable
ip classless
ip route 0.0.0.0 0.0.0.0
no ip http server
!
access-list 101 permit tcp any any established
access-list 101 permit tcp any host xxx eq telnet
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any packet-too-big
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any traceroute
access-list 101 permit ahp any any
access-list 101 permit esp any any
access-list 101 permit udp any any eq isakmp
access-list 101 permit tcp any host xxx eq pop3
access-list 101 permit tcp any host eq smtp
access-list 101 permit ip host 192.168.100.50 any
access-list 101 permit ip host 192.168.100.51 any
access-list 101 permit ip host 192.168.100.52 any
access-list 101 permit ip host 192.168.100.53 any
access-list 101 permit ip host 192.168.100.54 any
access-list 101 permit ip host 192.168.100.55 any
access-list 110 deny ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 110 permit ip 192.168.1.0 0.0.0.255 any
access-list 120 permit ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255
no cdp run
route-map rmap permit 10
match ip address 110
!
route-map nonat permit 10
match ip address 120
!
route-map nonat permit 20
!
!
banner motd ^CC
***
NOTICE TO USERS
This is a private computer system and is the property of Chaston
Associates. It is for authorized use only. Users (authorized or
unauthorized) have no explicit or implicit expectation of privacy.
Any or all uses of this system and all files on this system may be
intercepted, monitored, recorded, copied, audited, inspected, and disclosed
to authorized site, and law enforcement personnel, as well as authorized
officials of other agencies, both domestic and foreign.
By using this system, the user consents to such interception, monitoring,
recording, copying, auditing, inspection, and disclosure at the discretion
of authorized site or Department of Energy personnel.
Unauthorized or improper use of this system may result in administrative
disciplinary action and civil and criminal penalties. By continuing to use
this system you indicate your awareness of and consent to these terms and
conditions of use. LOG OFF IMMEDIATELY if you do not agree
