Current configuration : 6065 bytes ! version 12.3 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname Cisco837-Latintec ! boot-start-marker boot-end-marker ! enable secret 5 $1$Knyf$6JY7Xz8MYPbA6YP1W98z50 ! username eduardo password 7 0203004E180F03376C1F5B4A username daniel password 7 04490E021C2A55 clock timezone GMT -3 aaa new-model ! ! aaa authentication login sdm_vpn_xauth_ml_1 local aaa authentication login consolevty local aaa authorization network sdm_vpn_group_ml_1 local aaa authorization network sdm_vpn_xauth_1 local aaa authorization network sdm_vpn_group_ml_2 local aaa session-id common ip subnet-zero ip dhcp excluded-address 192.168.2.1 192.168.2.4 ! ip dhcp pool RedeLatintec network 192.168.2.0 255.255.255.0 default-router 192.168.2.1 dns-server 200.176.2.10 200.176.2.12 ! ! ip domain name latintec.com.br ip audit notify log ip audit po max-events 100 no ftp-server write-enable no scripting tcl init no scripting tcl encdir ! ! ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key cisco1234 address 200.182.12.162 crypto isakmp keepalive 20 10 ! crypto isakmp client configuration group sdm_vpn_group_ml_1 key latintec@vpn dns 200.176.2.10 200.176.2.12 pool SDM_POOL_1 acl 107 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set transform-1 esp-3des esp-sha-hmac crypto ipsec transform-set teste esp-des esp-md5-hmac crypto ipsec transform-set transform-02 esp-des esp-md5-hmac crypto ipsec transform-set strong esp-des esp-sha-hmac ! crypto dynamic-map SDM_DYNMAP_1 1 set transform-set transform-02 reverse-route ! ! crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_2 crypto map SDM_CMAP_1 client configuration address respond crypto map SDM_CMAP_1 1 ipsec-isakmp description Tunnel to200.182.12.162 set peer 200.182.12.162 set transform-set teste match address 109 crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1 ! ! ! ! interface Ethernet0 description Interna ip address 192.168.2.1 255.255.255.0 ip nat inside hold-queue 100 out ! interface ATM0 no ip address no atm ilmi-keepalive pvc 1/32 encapsulation aal5mux ppp dialer dialer pool-member 1 ! dsl operating-mode auto ! interface FastEthernet1 no ip address duplex auto speed auto ! interface FastEthernet2 no ip address duplex auto speed auto ! interface FastEthernet3 no ip address duplex auto speed auto ! interface FastEthernet4 no ip address duplex auto speed auto ! interface Dialer1 description Externa ip address negotiated ip nat outside encapsulation ppp dialer pool 1 ppp authentication chap callin ppp chap hostname CROS58897973@ae.cr ppp chap password 7 00514255570F5850567015 ppp pap sent-username CROS58897973@ae.cr password 7 040E5A555C751F1850485C crypto map SDM_CMAP_1 ! ip local pool SDM_POOL_1 172.18.0.1 172.18.0.5 ip nat inside source list 100 interface Dialer1 overload ip nat inside source static udp 192.168.2.4 161 200.102.214.240 161 extendable ip nat inside source static udp 192.168.2.4 162 200.102.214.240 162 extendable ip classless ip route 0.0.0.0 0.0.0.0 Dialer1 ip http server no ip http secure-server ! ! access-list 1 permit 201.22.212.101 access-list 1 permit 200.102.214.240 access-list 1 permit 192.168.2.0 0.0.0.255 access-list 1 permit 172.18.0.0 0.0.255.255 access-list 100 deny ip 192.168.2.0 0.0.0.255 10.59.30.0 0.0.0.127 access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 access-list 100 deny ip 192.168.2.0 0.0.0.255 host 172.18.0.1 access-list 100 deny ip 192.168.2.0 0.0.0.255 host 172.18.0.2 access-list 100 deny ip 192.168.2.0 0.0.0.255 host 172.18.0.3 access-list 100 deny ip 192.168.2.0 0.0.0.255 host 172.18.0.4 access-list 100 deny ip 192.168.2.0 0.0.0.255 host 172.18.0.5 access-list 100 permit ip 192.168.2.0 0.0.0.255 any access-list 107 remark SDM_ACL Category=4 access-list 107 permit ip 192.168.2.0 0.0.0.255 any access-list 109 remark IPSec Rule access-list 109 permit ip 192.168.2.0 0.0.0.255 10.59.30.0 0.0.0.127 access-list 109 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 snmp-server community l@tint3c RW snmp-server trap-source Ethernet0 snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart snmp-server enable traps tty snmp-server enable traps flash insertion removal snmp-server enable traps pppoe snmp-server enable traps l2tun session snmp-server enable traps rtr snmp-server enable traps ipmulticast snmp-server enable traps msdp snmp-server enable traps atm subif snmp-server enable traps isakmp policy add snmp-server enable traps isakmp policy delete snmp-server enable traps isakmp tunnel start snmp-server enable traps isakmp tunnel stop snmp-server enable traps ipsec cryptomap add snmp-server enable traps ipsec cryptomap delete snmp-server enable traps ipsec cryptomap attach snmp-server enable traps ipsec cryptomap detach snmp-server enable traps ipsec tunnel start snmp-server enable traps ipsec tunnel stop snmp-server enable traps ipsec too-many-sas snmp-server enable traps config snmp-server host 192.168.2.4 version 2c l@tint3c ! control-plane ! banner motd ^C ************************************************* ** ** ** Access Authorized Only ** ** to Latintec ** ** Administrators ** ** ** ************************************************* ^C ! line con 0 password 7 082D4D5A00171112112B0F0B24382B2436 logging synchronous login authentication consolevty no modem enable transport preferred all transport output all line aux 0 transport preferred all transport output all line vty 0 4 access-class 1 in line con 0 password 7 082D4D5A00171112112B0F0B24382B2436 logging synchronous login authentication consolevty no modem enable transport preferred all transport output all line aux 0 transport preferred all transport output all line vty 0 4 access-class 1 in password 7 110518111E1C1F09070A3F21243D3036 logging synchronous login authentication consolevty transport preferred none transport input telnet ssh transport output telnet ssh ! scheduler max-task-time 5000 ! end Cisco837-Latintec# sh run Building configuration... Current configuration : 6586 bytes ! version 12.3 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname Cisco837-Latintec ! boot-start-marker boot-end-marker ! enable secret 5 $1$Knyf$6JY7Xz8MYPbA6YP1W98z50 ! username eduardo password 7 0203004E180F03376C1F5B4A username daniel password 7 04490E021C2A55 username latintec-client password 7 094F42001C0B031B0F2C557878 clock timezone GMT -3 aaa new-model ! ! --More--  aaa authentication login sdm_vpn_xauth_ml_1 local aaa authentication login consolevty local aaa authorization network sdm_vpn_group_ml_1 local aaa authorization network sdm_vpn_xauth_1 local aaa authorization network sdm_vpn_group_ml_2 local aaa session-id common ip subnet-zero ip dhcp excluded-address 192.168.2.1 192.168.2.4 ! ip dhcp pool RedeLatintec network 192.168.2.0 255.255.255.0 default-router 192.168.2.1 dns-server 200.176.2.10 200.176.2.12 ! ! ip domain name latintec.com.br ip name-server 200.176.2.10 ip name-server 200.176.2.12 ip ids po max-events 100 no ftp-server write-enable ! ! ! --More--  ! no crypto isakmp enable ! crypto isakmp policy 1 hash md5 authentication pre-share group 2 crypto isakmp key cisco1234 address 200.181.12.162 no-xauth crypto isakmp keepalive 20 10 ! crypto isakmp client configuration group sdm_vpn_group_ml_1 key latintec@vpn dns 200.176.2.10 200.176.2.12 pool SDM_POOL_1 acl 107 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set transform-1 esp-3des esp-sha-hmac crypto ipsec transform-set teste esp-des esp-md5-hmac crypto ipsec transform-set transform-02 esp-des esp-md5-hmac crypto ipsec transform-set strong esp-des esp-sha-hmac ! --More--  crypto dynamic-map SDM_DYNMAP_1 1 set transform-set transform-02 reverse-route ! ! crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1 crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_2 crypto map SDM_CMAP_1 client configuration address initiate crypto map SDM_CMAP_1 client configuration address respond crypto map SDM_CMAP_1 1 ipsec-isakmp description tunnel to 200.181.12.162 set peer 200.181.12.162 set transform-set teste match address 109 crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1 ! ! ! interface Ethernet0 description Interna ip address 192.168.2.1 255.255.255.0 ip nat inside ip virtual-reassembly --More--   hold-queue 100 out ! interface Ethernet2 no ip address shutdown hold-queue 100 out ! interface ATM0 no ip address no atm ilmi-keepalive dsl operating-mode auto pvc 1/32 encapsulation aal5mux ppp dialer dialer pool-member 1 ! ! interface FastEthernet1 no ip address duplex auto speed auto ! interface FastEthernet2 no ip address --More--   duplex auto speed auto ! interface FastEthernet3 no ip address duplex auto speed auto ! interface FastEthernet4 no ip address duplex auto speed auto ! interface Dialer1 description Externa ip address negotiated ip access-group DenyTraffic in no ip redirects no ip unreachables ip nat outside ip virtual-reassembly encapsulation ppp no ip route-cache --More--   no ip mroute-cache dialer pool 1 no cdp enable ppp authentication chap callin ppp chap hostname CROS58897973@ae.cr ppp chap password 7 00514255570F5850567015 ppp pap sent-username CROS58897973@ae.cr password 7 040E5A555C751F1850485C ! ip local pool SDM_POOL_1 172.18.0.1 172.18.0.5 ip classless ip route 0.0.0.0 0.0.0.0 Dialer1 ip http server no ip http secure-server ip nat inside source list 100 interface Dialer1 overload ip nat inside source static udp 192.168.2.4 161 200.102.214.240 161 extendable ip nat inside source static udp 192.168.2.4 162 200.102.214.240 162 extendable ! ! ip access-list extended DenyTraffic deny icmp any host 200.102.214.240 echo permit ip any any access-list 1 permit 201.22.212.101 access-list 1 permit 200.102.214.240 --More--  access-list 1 permit 192.168.2.0 0.0.0.255 access-list 1 permit 172.18.0.0 0.0.255.255 access-list 100 deny ip 192.168.2.0 0.0.0.255 10.59.30.0 0.0.0.127 access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 access-list 100 deny ip 192.168.2.0 0.0.0.255 host 172.18.0.1 access-list 100 deny ip 192.168.2.0 0.0.0.255 host 172.18.0.2 access-list 100 deny ip 192.168.2.0 0.0.0.255 host 172.18.0.3 access-list 100 deny ip 192.168.2.0 0.0.0.255 host 172.18.0.4 access-list 100 deny ip 192.168.2.0 0.0.0.255 host 172.18.0.5 access-list 100 permit ip 192.168.2.0 0.0.0.255 any access-list 107 remark SDM_ACL Category=4 access-list 107 permit ip 192.168.2.0 0.0.0.255 any access-list 109 remark IPSec Rule access-list 109 permit ip 192.168.2.0 0.0.0.255 10.59.30.0 0.0.0.127 access-list 109 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 snmp-server community l@tint3c RW snmp-server trap-source Ethernet0 snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart snmp-server enable traps tty snmp-server enable traps flash insertion removal snmp-server enable traps pppoe snmp-server enable traps l2tun session snmp-server enable traps rtr --More--  snmp-server enable traps ipmulticast snmp-server enable traps msdp snmp-server enable traps atm subif snmp-server enable traps isakmp policy add snmp-server enable traps isakmp policy delete snmp-server enable traps isakmp tunnel start snmp-server enable traps isakmp tunnel stop snmp-server enable traps ipsec cryptomap add snmp-server enable traps ipsec cryptomap delete snmp-server enable traps ipsec cryptomap attach snmp-server enable traps ipsec cryptomap detach snmp-server enable traps ipsec tunnel start snmp-server enable traps ipsec tunnel stop snmp-server enable traps ipsec too-many-sas snmp-server enable traps config snmp-server host 192.168.2.4 version 2c l@tint3c ! control-plane ! banner motd ^C ************************************************* ** ** ** Access Authorized Only ** --More--  ** to Latintec ** ** Administrators ** ** ** ************************************************* ^C ! line con 0 password 7 082D4D5A00171112112B0F0B24382B2436 logging synchronous login authentication consolevty no modem enable transport preferred all transport output all line aux 0 transport preferred all transport output all line vty 0 4 access-class 1 in password 7 110518111E1C1F09070A3F21243D3036 logging synchronous login authentication consolevty transport preferred none transport input telnet ssh --More--   transport output telnet ssh ! scheduler max-task-time 5000 end Cisco837-Latintec#sh ip access Cisco837-Latintec#sh ip access-lists Standard IP access list 1 10 permit 201.22.212.101 20 permit 200.102.214.240 30 permit 192.168.2.0, wildcard bits 0.0.0.255 40 permit 172.18.0.0, wildcard bits 0.0.255.255 Extended IP access list 100 10 deny ip 192.168.2.0 0.0.0.255 10.59.30.0 0.0.0.127 20 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 (179 matches) 30 deny ip 192.168.2.0 0.0.0.255 host 172.18.0.1 40 deny ip 192.168.2.0 0.0.0.255 host 172.18.0.2 50 deny ip 192.168.2.0 0.0.0.255 host 172.18.0.3 60 deny ip 192.168.2.0 0.0.0.255 host 172.18.0.4 70 deny ip 192.168.2.0 0.0.0.255 host 172.18.0.5 80 permit ip 192.168.2.0 0.0.0.255 any (51 matches) Extended IP access list 107 10 permit ip 192.168.2.0 0.0.0.255 any Extended IP access list 109 10 permit ip 192.168.2.0 0.0.0.255 10.59.30.0 0.0.0.127 20 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 Extended IP access list DenyTraffic 10 deny icmp any host 200.102.214.240 echo (24 matches) 20 permit ip any any (957 matches) Extended IP access list sl_def_acl --More--   10 deny tcp any any eq telnet log 20 deny tcp any any eq www log 30 deny tcp any any eq 22 log 40 permit ip any any log Cisco837-Latintec#