Re: Please HELP

schimmeltc · ‎01-20-2009

Hi,

I am trying to get a VPN tunnel up and going between and 871 and a PIX. I have all of the interesting traffic defined and the sets defined as well.

crypto isakmp policy 30

encr 3des

authentication pre-share

group 2

crypto isakmp key 1234 address 0.0.0.0 0.0.0.0

!

crypto ipsec transform-set MANNY esp-3des

mode transport

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

mode transport

!

crypto ipsec profile SDM_Profile1

set transform-set ESP-3DES-SHA

!

crypto map Manchester 30 ipsec-isakmp

set peer 63.x.x.x

set security-association lifetime kilobytes 3600

set security-association lifetime seconds 7200

set transform-set ESP-3DES-SHA

match address VPN_WILL

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 10.20.50.0 0.0.0.255

access-list 2 deny any

access-list 2 remark HTTP Access-class list

access-list 2 remark SDM_ACL Category=1

access-list 2 permit 10.20.50.0 0.0.0.255

access-list 2 permit 10.250.250.0 0.0.0.255

access-list 100 permit ip 10.20.0.0 0.0.255.255 172.16.120.0 0.0.0.255

access-list 102 deny ip 10.20.50.0 0.0.0.255 172.16.0.0 0.0.0.255

access-list 102 permit ip 10.20.50.0 0.0.0.255 any

access-list 106 permit udp any host 98.175.98.186 eq isakmp

access-list 106 permit esp any host 98.175.98.186

access-list 106 permit ahp any host 98.175.98.186

access-list 106 permit udp any host 98.175.98.186 eq non500-isakmp

access-list 120 permit ip 10.20.50.0 0.0.0.255 172.16.120.0 0.0.0.255

access-list 130 deny ip 68.239.85.0 0.0.0.255 any

access-list 130 deny ip host 255.255.255.255 any

access-list 130 deny ip 127.0.0.0 0.255.255.255 any

access-list 130 permit ip any any

access-list 150 remark VTY Access-class list

access-list 150 remark SDM_ACL Category=1

access-list 150 permit ip 10.20.50.0 0.0.0.255 any

access-list 150 permit ip 10.0.0.0 0.255.255.255 any

access-list 150 permit ip 10.250.250.0 0.0.0.255 any

access-list 150 deny ip any any

snmp-server community public RO

no cdp run

!

route-map nonat permit 30

match ip address 102 NAT_Exempt

!

Is there another way to init traffic without the Tunnel0 ? Maybe a dialer

schimmeltc · ‎01-23-2009

BTW, the config above no to include the access-class to deny statement.