Georg,

Here the output from sh dmvpn detail, I see that this a shared session and I am guessing that is why when any of the tunnels get shut/no shut they both drop.

What I don't understand is why tunnel0 never comes up unlees I specicically do a shut/no shut on it.

Interface: Tunnel1 Tunnel0
Session: [0x85880BBC]
  IKE SA: local 96.94.49.153/500 remote 50.235.49.163/500 Active
          Capabilities:(none) connid:2002 lifetime:23:59:50
  Crypto Session Status: UP-ACTIVE
  fvrf: (none), Phase1_id: 50.235.49.163
  IPSEC FLOW: permit 47 host 99.14.166.185 host 50.235.49.163
        Active SAs: 0, origin: crypto map
        Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
        Outbound: #pkts enc'ed 0 drop 3 life (KB/Sec) 0/0
   Outbound SPI : 0x       0, transform :
    Socket State: Closed
  IKE SA: local 96.94.49.153/500 remote 50.235.49.163/500 Active
          Capabilities:(none) connid:2002 lifetime:23:59:50
  IPSEC FLOW: permit 47 host 96.94.49.153 host 50.235.49.163
        Active SAs: 2, origin: crypto map
        Inbound:  #pkts dec'ed 60 drop 0 life (KB/Sec) 4519579/3590
        Outbound: #pkts enc'ed 68 drop 0 life (KB/Sec) 4519580/3590
   Outbound SPI : 0xB7C04CC1, transform : esp-3des esp-sha-hmac
    Socket State: Open

Hello,

I am thinking that the problem might be the service provider not accepting the same IPSec profile from two different tunnels.

Can you try and create a different IPSec profile for tunnel 1 ?

By the way, I checked for bugs, none found in your IOS version.

Georg,

DO you meant just a new IPsec profile using the same crypto isakmp profile?

ex now there is:

crypto isakmp profile ccp-dmvpn-isakmprofile
   keyring ccp-dmvpn-keyring
   match identity address 0.0.0.0

crypto ipsec profile CiscoCP_Profile2
 set transform-set ESP-3DES-SHA2
 set isakmp-profile ccp-dmvpn-isakmprofile

so the new one could be?

crypto ipsec profile CiscoCP_Profiletunnel1
 set transform-set ESP-3DES-SHA2
 set isakmp-profile ccp-dmvpn-isakmprofile

I won't be able to test until the weekend.

Thanks,

M

Hello,

the isakmp profile needs to be different for both ipsec profiles, as this is usually what the providers use to distinguish tunnels (and customers).

So, create two isakmp profiles and two ipsec profiles...

Curious to know if this works...

Hello,

I have made a few small adjustments (marked in bold) to your config,such as the delay parameters. tcp adjust-mss parameters, and also added a summary route to the hub. The 'shared' keyword has also been added to the tunnel protection.

HUB
!
hostname A&M-_RT
!
multilink bundle-name authenticated
!
spanning-tree portfast bpduguard
!
crypto keyring ccp-dmvpn-keyring
pre-shared-key address 0.0.0.0 0.0.0.0 key Private
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group ansbacher
key ansbachersti01x
dns 10.4.1.12
wins 10.4.1.12
pool SDM_POOL_1
acl 100
!
crypto isakmp client configuration group ansbacher1
key Private
dns 10.4.1.10
pool SDM_POOL_1
acl 106
crypto isakmp profile sdm-ike-profile-1
match identity group ansbacher
client authentication list sdm_vpn_xauth_ml_1
isakmp authorization list sdm_vpn_group_ml_1
client configuration address respond
virtual-template 1
crypto isakmp profile ciscocp-ike-profile-1
match identity group ansbacher1
client authentication list sdm_vpn_xauth_ml_1
isakmp authorization list sdm_vpn_group_ml_1
client configuration address respond
virtual-template 2
crypto isakmp profile ccp-dmvpn-isakmprofile
keyring ccp-dmvpn-keyring
match identity address 0.0.0.0
qos-group 1
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA1
set isakmp-profile ciscocp-ike-profile-1
!
crypto ipsec profile CiscoCP_Profile2
set transform-set ESP-3DES-SHA2
set isakmp-profile ccp-dmvpn-isakmprofile
!
crypto ipsec profile SDM_Profile1
set security-association idle-time 7200
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
!
crypto ctcp port 10000 11000 12000
archive
log config
hidekeys
!
interface Tunnel0
description $FW_INSIDE$
bandwidth 100000
ip address 11.11.11.1 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 100
ip nhrp authentication DMVPN_NW
ip nhrp map multicast dynamic
ip nhrp network-id 100000
ip nhrp holdtime 360
ip summary-address eigrp 100 0.0.0.0 0.0.0.0
no ip route-cache cef
ip tcp adjust-mss 1360
delay 1000
no ip split-horizon eigrp 100
no clns route-cache
tunnel source FastEthernet0
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile CiscoCP_Profile2 shared
!
interface Tunnel1
description BACKUP
bandwidth 24000
ip address 11.11.12.1 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 100
ip nhrp authentication DMVPN_NW
ip nhrp map multicast dynamic
ip nhrp network-id 2
ip nhrp holdtime 360
ip summary-address eigrp 100 0.0.0.0 0.0.0.0
ip tcp adjust-mss 1360
delay 1500
no ip split-horizon eigrp 100
delay 1001
no clns route-cache
tunnel source FastEthernet0
tunnel mode gre multipoint
tunnel key 2
tunnel protection ipsec profile CiscoCP_Profile2 shared
!
interface FastEthernet0
description COMCAST FIBER
ip address x.x.x.163 255.255.255.248
ip verify unicast reverse-path
ip inspect CCP_LOW out
ip virtual-reassembly
ip tcp adjust-mss 1400
duplex auto
speed auto
!
interface FastEthernet1
description $FW_OUTSIDE$
ip address y.y.y.125 255.255.255.248
ip access-group 112 in
ip verify unicast reverse-path
ip nat outside
ip inspect CCP_LOW out
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet9
!
interface Virtual-Template1 type tunnel
description $FW_INSIDE$
ip unnumbered FastEthernet1
ip access-group 108 in
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Virtual-Template2 type tunnel
description $FW_INSIDE$
ip unnumbered FastEthernet1
ip access-group 109 in
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$
ip address 100.10.10.2 255.255.255.0
ip virtual-reassembly
ip tcp adjust-mss 1412
!
router eigrp 100
redistribute static
network 11.11.11.0 0.0.0.255
network 11.11.12.0 0.0.0.255
no auto-summary
neighbor 11.11.11.3 Tunnel0
neighbor 11.11.11.2 Tunnel0
neighbor 11.11.12.2 Tunnel1
!
ip local pool SDM_POOL_1 192.168.50.1 192.168.50.50
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 50.235.49.161
ip route 10.4.1.0 255.255.255.0 100.10.10.1
ip route 10.5.1.0 255.255.255.0 11.11.11.2
ip route 10.6.1.0 255.255.255.0 11.11.11.3
ip route 10.7.1.0 255.255.255.0 11.11.11.4
ip route 172.20.2.0 255.255.255.0 11.11.11.3
ip route 192.168.10.0 255.255.255.0 11.11.11.3
ip route 192.168.12.0 255.255.255.0 11.11.11.2
ip route 192.168.12.0 255.255.255.0 11.11.12.2 200
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!

ip nat pool comcast x.x.x.125 173.165.198.125 netmask 255.255.255.248

SPOKE
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
ip cef
no ip domain lookup
no ipv6 cef
!
multilink bundle-name authenticated
!
crypto keyring ccp-dmvpn1-keyring
pre-shared-key address 0.0.0.0 0.0.0.0 key private
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key private address x.x.x.163
crypto isakmp keepalive 30 5
!
crypto isakmp client configuration group ansbacher
key ansbachersti01x
pool SDM_POOL_1
acl 100
crypto isakmp profile ciscocp-ike-profile-1
match identity group ansbacher
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
mode transport
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile CiscoCP_Profile1
set security-association idle-time 3600
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
crypto ipsec profile CiscoCP_Profile2
set transform-set ESP-3DES-SHA2
!
class class-default
!
interface Tunnel0
bandwidth 200000
ip address 11.11.11.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication DMVPN_NW
ip nhrp map 11.11.11.1 50.235.49.163
ip nhrp map multicast 50.235.49.163
ip nhrp network-id 100000
ip nhrp holdtime 360
ip nhrp nhs 11.11.11.1
ip nhrp registration no-unique
ip tcp adjust-mss 1360
delay 1000
tunnel source FastEthernet0
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile CiscoCP_Profile2 shared
!
interface Tunnel1
bandwidth 24000
ip address 11.11.12.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication DMVPN_NW
ip nhrp map 11.11.12.1 50.235.49.163
ip nhrp map multicast 50.235.49.163
ip nhrp network-id 2
ip nhrp holdtime 360
ip nhrp nhs 11.11.12.1
ip nhrp registration no-unique
ip tcp adjust-mss 1360
delay 1500
tunnel source FastEthernet1
tunnel mode gre multipoint
tunnel key 2
tunnel protection ipsec profile CiscoCP_Profile2 shared
!
interface FastEthernet0
description $ETH-WAN$
ip address y.y.y.153 255.255.255.248
ip nbar protocol-discovery
ip nat outside
ip virtual-reassembly
ip policy route-map tunnel0
duplex auto
speed auto
service-policy output CCP-QoS-Policy-1
!
interface FastEthernet1
ip address z.z.z.185 255.255.255.248
ip nat outside
ip virtual-reassembly
ip policy route-map tunnel1
duplex auto
speed auto
!
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$
ip address 10.5.1.1 255.255.255.0
ip helper-address 10.4.1.12
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Vlan10
ip address 192.168.12.1 255.255.255.0
ip helper-address 10.4.1.12
ip nat inside
ip virtual-reassembly
!
router eigrp 100
redistribute static
network 10.5.1.0 0.0.0.255
network 11.11.11.0 0.0.0.255
network 11.11.12.0 0.0.0.255
no auto-summary
neighbor 11.11.11.1 Tunnel0
neighbor 11.11.12.1 Tunnel1
!
ip local pool SDM_POOL_1 172.20.2.1 172.20.2.10
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 96.94.49.154
ip route 0.0.0.0 0.0.0.0 99.14.166.190 20
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip flow-top-talkers
top 10
sort-by bytes
!
ip nat inside source static tcp 10.5.1.253 8000 interface FastEthernet0 8000
ip nat inside source static tcp 10.5.1.253 8554 interface FastEthernet0 8554
ip nat inside source route-map att interface FastEthernet1 overload
ip nat inside source route-map comcast interface FastEthernet0 overload
!
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.5.1.0 0.0.0.255
access-list 1 permit 192.168.12.0 0.0.0.255
access-list 2 permit 11.11.11.0 0.0.0.255
access-list 3 permit 11.11.12.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 permit ip 10.4.1.0 0.0.0.255 any
access-list 100 permit ip 10.5.1.0 0.0.0.255 any
access-list 110 remark CCP_ACL Category=256
access-list 110 permit udp any any range 6000 6036
no cdp run
!
route-map 10 permit 10
!
route-map tunnel0 permit 10
match ip address 2
match interface FastEthernet0
set ip next-hop 99.14.166.190
!
route-map tunnel1 permit 10
match ip address 3
match interface FastEthernet1
set ip next-hop 99.14.166.160
!
route-map att permit 10
match ip address 1
match interface FastEthernet1
!
route-map comcast permit 10
match ip address 1
match interface FastEthernet0

Goerg,

Thank you, the tunnels came up but the spoke is not getting eigrp updates, the hub is though.

Thank you,

Marley

Goerg,

I removed the route ip summary from the tunnels on the hub and eigrp updates go thru. If I shut a tunnel the other takes over no problem, if shut down the primary FastEthernet(F0) interface on the spoke to simulate loss of ISP then tunnle1 never builds back up. I don't understand why tunnle1 sourced from f1 never build when f0 is down, there is internet access in this scenario.

Thanks again for your help,

M

Hello,

I have made a few small adjustments (marked in bold) to your config,such as the delay parameters. tcp adjust-mss parameters, and also added a summary route to the hub. The 'shared' keyword has also been added to the tunnel protection.

HUB
!
hostname A&M-_RT
!
multilink bundle-name authenticated
!
spanning-tree portfast bpduguard
!
crypto keyring ccp-dmvpn-keyring
pre-shared-key address 0.0.0.0 0.0.0.0 key Private
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group ansbacher
key ansbachersti01x
dns 10.4.1.12
wins 10.4.1.12
pool SDM_POOL_1
acl 100
!
crypto isakmp client configuration group ansbacher1
key Private
dns 10.4.1.10
pool SDM_POOL_1
acl 106
crypto isakmp profile sdm-ike-profile-1
match identity group ansbacher
client authentication list sdm_vpn_xauth_ml_1
isakmp authorization list sdm_vpn_group_ml_1
client configuration address respond
virtual-template 1
crypto isakmp profile ciscocp-ike-profile-1
match identity group ansbacher1
client authentication list sdm_vpn_xauth_ml_1
isakmp authorization list sdm_vpn_group_ml_1
client configuration address respond
virtual-template 2
crypto isakmp profile ccp-dmvpn-isakmprofile
keyring ccp-dmvpn-keyring
match identity address 0.0.0.0
qos-group 1
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA1
set isakmp-profile ciscocp-ike-profile-1
!
crypto ipsec profile CiscoCP_Profile2
set transform-set ESP-3DES-SHA2
set isakmp-profile ccp-dmvpn-isakmprofile
!
crypto ipsec profile SDM_Profile1
set security-association idle-time 7200
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
!
crypto ctcp port 10000 11000 12000
archive
log config
hidekeys
!
interface Tunnel0
description $FW_INSIDE$
bandwidth 100000
ip address 11.11.11.1 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 100
ip nhrp authentication DMVPN_NW
ip nhrp map multicast dynamic
ip nhrp network-id 100000
ip nhrp holdtime 360
ip summary-address eigrp 100 0.0.0.0 0.0.0.0
no ip route-cache cef
ip tcp adjust-mss 1360
delay 1000
no ip split-horizon eigrp 100
no clns route-cache
tunnel source FastEthernet0
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile CiscoCP_Profile2 shared
!
interface Tunnel1
description BACKUP
bandwidth 24000
ip address 11.11.12.1 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 100
ip nhrp authentication DMVPN_NW
ip nhrp map multicast dynamic
ip nhrp network-id 2
ip nhrp holdtime 360
ip summary-address eigrp 100 0.0.0.0 0.0.0.0
ip tcp adjust-mss 1360
delay 1500
no ip split-horizon eigrp 100
delay 1001
no clns route-cache
tunnel source FastEthernet0
tunnel mode gre multipoint
tunnel key 2
tunnel protection ipsec profile CiscoCP_Profile2 shared
!
interface FastEthernet0
description COMCAST FIBER
ip address x.x.x.163 255.255.255.248
ip verify unicast reverse-path
ip inspect CCP_LOW out
ip virtual-reassembly
ip tcp adjust-mss 1400
duplex auto
speed auto
!
interface FastEthernet1
description $FW_OUTSIDE$
ip address y.y.y.125 255.255.255.248
ip access-group 112 in
ip verify unicast reverse-path
ip nat outside
ip inspect CCP_LOW out
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet9
!
interface Virtual-Template1 type tunnel
description $FW_INSIDE$
ip unnumbered FastEthernet1
ip access-group 108 in
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Virtual-Template2 type tunnel
description $FW_INSIDE$
ip unnumbered FastEthernet1
ip access-group 109 in
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$
ip address 100.10.10.2 255.255.255.0
ip virtual-reassembly
ip tcp adjust-mss 1412
!
router eigrp 100
redistribute static
network 11.11.11.0 0.0.0.255
network 11.11.12.0 0.0.0.255
no auto-summary
neighbor 11.11.11.3 Tunnel0
neighbor 11.11.11.2 Tunnel0
neighbor 11.11.12.2 Tunnel1
!
ip local pool SDM_POOL_1 192.168.50.1 192.168.50.50
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 50.235.49.161
ip route 10.4.1.0 255.255.255.0 100.10.10.1
ip route 10.5.1.0 255.255.255.0 11.11.11.2
ip route 10.6.1.0 255.255.255.0 11.11.11.3
ip route 10.7.1.0 255.255.255.0 11.11.11.4
ip route 172.20.2.0 255.255.255.0 11.11.11.3
ip route 192.168.10.0 255.255.255.0 11.11.11.3
ip route 192.168.12.0 255.255.255.0 11.11.11.2
ip route 192.168.12.0 255.255.255.0 11.11.12.2 200
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!

ip nat pool comcast x.x.x.125 173.165.198.125 netmask 255.255.255.248

SPOKE
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
ip cef
no ip domain lookup
no ipv6 cef
!
multilink bundle-name authenticated
!
crypto keyring ccp-dmvpn1-keyring
pre-shared-key address 0.0.0.0 0.0.0.0 key private
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key private address x.x.x.163
crypto isakmp keepalive 30 5
!
crypto isakmp client configuration group ansbacher
key ansbachersti01x
pool SDM_POOL_1
acl 100
crypto isakmp profile ciscocp-ike-profile-1
match identity group ansbacher
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
mode transport
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile CiscoCP_Profile1
set security-association idle-time 3600
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
crypto ipsec profile CiscoCP_Profile2
set transform-set ESP-3DES-SHA2
!
class class-default
!
interface Tunnel0
bandwidth 200000
ip address 11.11.11.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication DMVPN_NW
ip nhrp map 11.11.11.1 50.235.49.163
ip nhrp map multicast 50.235.49.163
ip nhrp network-id 100000
ip nhrp holdtime 360
ip nhrp nhs 11.11.11.1
ip nhrp registration no-unique
ip tcp adjust-mss 1360
delay 1000
tunnel source FastEthernet0
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile CiscoCP_Profile2 shared
!
interface Tunnel1
bandwidth 24000
ip address 11.11.12.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication DMVPN_NW
ip nhrp map 11.11.12.1 50.235.49.163
ip nhrp map multicast 50.235.49.163
ip nhrp network-id 2
ip nhrp holdtime 360
ip nhrp nhs 11.11.12.1
ip nhrp registration no-unique
ip tcp adjust-mss 1360
delay 1500
tunnel source FastEthernet1
tunnel mode gre multipoint
tunnel key 2
tunnel protection ipsec profile CiscoCP_Profile2 shared
!
interface FastEthernet0
description $ETH-WAN$
ip address y.y.y.153 255.255.255.248
ip nbar protocol-discovery
ip nat outside
ip virtual-reassembly
ip policy route-map tunnel0
duplex auto
speed auto
service-policy output CCP-QoS-Policy-1
!
interface FastEthernet1
ip address z.z.z.185 255.255.255.248
ip nat outside
ip virtual-reassembly
ip policy route-map tunnel1
duplex auto
speed auto
!
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$
ip address 10.5.1.1 255.255.255.0
ip helper-address 10.4.1.12
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Vlan10
ip address 192.168.12.1 255.255.255.0
ip helper-address 10.4.1.12
ip nat inside
ip virtual-reassembly
!
router eigrp 100
redistribute static
network 10.5.1.0 0.0.0.255
network 11.11.11.0 0.0.0.255
network 11.11.12.0 0.0.0.255
no auto-summary
neighbor 11.11.11.1 Tunnel0
neighbor 11.11.12.1 Tunnel1
!
ip local pool SDM_POOL_1 172.20.2.1 172.20.2.10
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 96.94.49.154
ip route 0.0.0.0 0.0.0.0 99.14.166.190 20
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip flow-top-talkers
top 10
sort-by bytes
!
ip nat inside source static tcp 10.5.1.253 8000 interface FastEthernet0 8000
ip nat inside source static tcp 10.5.1.253 8554 interface FastEthernet0 8554
ip nat inside source route-map att interface FastEthernet1 overload
ip nat inside source route-map comcast interface FastEthernet0 overload
!
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.5.1.0 0.0.0.255
access-list 1 permit 192.168.12.0 0.0.0.255
access-list 2 permit 11.11.11.0 0.0.0.255
access-list 3 permit 11.11.12.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 permit ip 10.4.1.0 0.0.0.255 any
access-list 100 permit ip 10.5.1.0 0.0.0.255 any
access-list 110 remark CCP_ACL Category=256
access-list 110 permit udp any any range 6000 6036
no cdp run
!
route-map 10 permit 10
!
route-map tunnel0 permit 10
match ip address 2
match interface FastEthernet0
set ip next-hop 99.14.166.190
!
route-map tunnel1 permit 10
match ip address 3
match interface FastEthernet1
set ip next-hop 99.14.166.160
!
route-map att permit 10
match ip address 1
match interface FastEthernet1
!
route-map comcast permit 10
match ip address 1
match interface FastEthernet0