Solved: Re: Multiple DHCP pools on Cisco 891F

hochgenub · ‎08-13-2021

Hi everyone,

I have a cisco 891F vpn router and would like to have more than one dhcp pool. Possible?

Current dhcp pool is 192.168.1.0/254, gateway 192.168.1.1

I would like to create a new pool with 192.168.30.0/24 with gateway 192.168.30.1

Is this possible and would really appreciate if someone guided me on this with the IOS scripts.

Many thanks in advance

Georg Pauwen · ‎08-21-2021

Hello,

which ports on the router are the clients connected to that are supposed to get a 192.168.1.0/24 address ? Currently, only port GigabitEthernet4 is assigned to Vlan 100, so anything connected to this port will get an IP address in the 192.168.30.0/24 range. Anything connected to any of the other ports should get an IP address in the 192.168.1.0/24 range. Can you post the output of:

sh interfaces brief

Also, make the changes marked in bold to your configuration:

Current configuration : 3186 bytes
!
! Last configuration change at 15:56:09 GMT Fri Aug 20 2021 by admin1
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Pxxxc_Swww-Cisco800
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
enable secret 5 $xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
aaa new-model
!
aaa session-id common
clock timezone GMT 8 0
!
--> ip dhcp excluded-address 192.168.1.1 192.168.1.30
ip dhcp excluded-address 192.168.30.1
!
ip dhcp pool one
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 165.21.83.88 165.21.100.88
!
--> ip dhcp pool VLAN100
network 192.168.30.0 255.255.255.0
default-router 192.168.30.1
dns-server 165.21.83.88 165.21.100.88
!
ip domain name pxxxxx.com
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
license udi pid C891F-K9 sn Fxxxxxxxxxxxxx
!
username admin privilege 15 secret 5 $xxxxxxxxxxxxxxxxxxxxxxxxxxxx
username admin1 privilege 15 password 0 xxxxxxxx
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
lifetime 2880
crypto isakmp key sxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx hostname kxxxxxx
crypto isakmp keepalive 30
!
crypto ipsec transform-set IPSEC esp-aes 256 esp-sha-hmac
mode tunnel
!
crypto dynamic-map sa1-dynamic 10
set transform-set IPSEC
set pfs group5
!
crypto map sa1 1 ipsec-isakmp dynamic sa1-dynamic
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface FastEthernet0
no ip addres
duplex full
speed auto
!
interface GigabitEthernet0
no ip address
duplex full
!
interface GigabitEthernet1
no ip address
!
interface GigabitEthernet2
no ip address
!
interface GigabitEthernet3
no ip address
!
interface GigabitEthernet4
switchport access vlan 100
no ip address
!
interface GigabitEthernet5
no ip address
!
interface GigabitEthernet6
no ip address
!
interface GigabitEthernet7
no ip address
!
interface GigabitEthernet8
ip address 42.xx.xxxx.xxx 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex full
speed 1000
crypto map sa1
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan100
ip address 192.168.30.1 255.255.255.0
ip nat inside

ip virtual-reassembly in
!
interface Async3
no ip address
encapsulation slip
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip nat inside source route-map nonat interface GigabitEthernet8 overload
ip route 0.0.0.0 0.0.0.0 42.xx.xxx.xxx
!
route-map nonat permit 10
match ip address 101
match interface GigabitEthernet8
!
access-list 101 deny ip 192.168.30.0 0.0.0.255 172.31.1.0 0.0.0.255
--> access-list 101 permit ip 192.168.1.0 0.0.0.255 any
--> access-list 101 permit ip 192.168.30.1 0.0.0.255 any
!
control-plane
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
line con 0
no modem enable
line aux 0
line 3
modem InOut
speed 115200
flowcontrol hardware
line vty 0 4
transport input ssh
!
scheduler allocate 20000 1000
!
end

View solution in original post

marce1000 · ‎08-13-2021

- Ref : https://www.cisco.com/c/en/us/td/docs/routers/access/800/software/configuration/guide/SCG800Guide/SCG800_Guide_BookMap_chapter_01110.html

- Presuming you can create more then one pool , according to examples.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

hochgenub · ‎08-13-2021

Hi M.

Thanks for the reply. I've read that article many times too.
I may be wrong (as currently I'm working-from-home) but I believe my cisco
router only has one fast ethernet 0 port.

Hence can't create VLANs?

Thanks again

Richard Burts · ‎08-13-2021

Perhaps the output of show version and of show ip interface brief might shed some light on what might be available?

HTH

Rick

Georg Pauwen · ‎08-13-2021

Hello,

I have the below sample configuration for the 891 on file, not sure if it matches your router exactly, but I believe you can manually create the Vlan interfaces, and then assign switchports to the Vlans...

Building configuration...

Current configuration : 6951 bytes
!
! Last configuration change at 09:42:57 PCTime Wed Jul 11 2012 by User
!
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 $1$MGyU
!
no aaa new-model
!
no ip source-route
!
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.30.1
!
ip dhcp pool VLAN1
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8
!
ip dhcp pool VLAN2
network 192.168.30.0 255.255.255.0
default-router 192.168.30.1
dns-server 8.8.8.8
!
ip cef
no ip bootp server
no ip domain looku
ip domain name yourdomain.com
no ipv6 cef
!
multilink bundle-name authenticated
license udi pid CISCO891-K9 sn FGL16082051
!
username User privilege 15 secret 5 $1$872L$usBjgP2KGGnEv48KleE1h0
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
switchport access vlan 2
!
interface FastEthernet
switchport access vlan 2
!
interface FastEthernet6
switchport access vlan 2
!
interface FastEthernet7
switchport access vlan 2
!
interface FastEthernet8
ip address dhcp

ip nat outside
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingres
duplex auto
speed auto
!
interface GigabitEthernet0
no ip address
no ip redirects
no ip unreachable
no ip proxy-arp
ip flow ingress
duplex aut
speed auto
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Vlan2
ip address 192.168.30.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 1 interface FastEthernet8 overload
!
ip route 0.0.0.0 0.0.0.0 FastEthernet8 dhcp
!
logging trap debugging
no cdp run
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.30.0 0.0.0.255
!
control-plane
!
line con 0
login local
transport output telnet
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

hochgenub · ‎08-13-2021

Thanks for the share George Pauwen

I think this is quite the result I was looking for!

May I have a step-by-step guide on how to set this up please? I'm not too
familiar with the CLI lines for cisco devices and wouldn't want to disrupt
the devices on the current dhcp pool..

Cheers

Georg Pauwen · ‎08-13-2021

Hello,

good to know that this sample config might be what you are looking for...

The below is how you would set up the DHCP pool for the new Vlan. The easiest would probably be for you to post the output of 'sh run', so we can fill in the bits and pieces that are needed.

Router#conf t
Router(config)#ip dhcp excluded-address 192.168.30.1
Router(config)#ip dhcp pool VLAN2
Router(dhcp-config)#network 192.168.30.0 255.255.255.0
Router(dhcp-config)#default-router 192.168.30.1
Router(dhcp-config)#dns-server 8.8.8.8
Router(dhcp-config)#end

hochgenub · ‎08-14-2021

Hi again

Thanks for your quick response.

Below is my "sh run"

Do I need to route the VLAN2 to a separate unmanaged network switch or can
the 2 dhcp pools run on the same network?

Building configuration...

Current configuration : 2906 bytes

!

! Last configuration change at 16:00:12 GMT Mon Aug 9 2021 by admin1

version 15.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Pxxxxxc_Sxx-Cisco800

!

boot-start-marker

boot-end-marker

!

aqm-register-fnf

!

enable secret 5 $xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

!

aaa new-model

!

!

aaa session-id common

clock timezone GMT 8 0

!

!

!

ip dhcp excluded-address 192.168.1.2 192.168.1.30

!

ip dhcp pool one

network 192.168.1.0 255.255.255.0

default-router 192.168.1.1

dns-server 165.21.83.88 165.21.100.88

!

!

!

ip domain name pxxxxxxxxxxxx.com

ip cef

no ipv6 cef

!

!

multilink bundle-name authenticated

!

!

license udi pid C891F-K9 sn FXXXXXXXXXXX

!

!

username admin privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxx

username admin1 privilege 15 password 0 xxxxxxxxxx

!

!

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 5

lifetime 28800

crypto isakmp key sxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxa hostname kyoten2

crypto isakmp keepalive 30

!

!

crypto ipsec transform-set IPSEC esp-aes 256 esp-sha-hmac

mode tunnel

!

!

crypto dynamic-map sa1-dynamic 10

set transform-set IPSEC

set pfs group5

!

!

crypto map sa1 1 ipsec-isakmp dynamic sa1-dynamic

!

!

interface BRI0

no ip address

encapsulation hdlc

shutdown

isdn termination multidrop

!

interface FastEthernet0

no ip address

shutdown

duplex auto

speed auto

!

interface GigabitEthernet0

no ip address

duplex full

!

interface GigabitEthernet1

no ip address

!

interface GigabitEthernet2

no ip address

!

interface GigabitEthernet3

no ip address

!

interface GigabitEthernet4

no ip address

!

interface GigabitEthernet5

no ip address

!

interface GigabitEthernet6

no ip address

!

interface GigabitEthernet7

no ip address

!

interface GigabitEthernet8

ip address 42.xx.xx.yyy 255.255.255.252

ip nat outside

ip virtual-reassembly in

duplex full

speed 1000

crypto map sa1

!

interface Vlan1

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface Vlan100

ip address dhcp

!

interface Async3

no ip address

encapsulation slip

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

!

ip nat inside source route-map nonat interface GigabitEthernet8 overload

ip route 0.0.0.0 0.0.0.0 42.xx.xx.yyy

!

!

route-map nonat permit 10

match ip address 101

!

access-list 101 deny ip 192.168.1.0 0.0.0.255 172.31.152.0 0.0.0.255

access-list 101 permit ip any any

!

!

!

control-plane

!

!

!

mgcp behavior rsip-range tgcp-only

mgcp behavior comedia-role none

mgcp behavior comedia-check-media-src disable

mgcp behavior comedia-sdp-force disable

!

mgcp profile default

!

!

!

!

!

line con 0

no modem enable

line aux 0

line 3

modem InOut

speed 115200

flowcontrol hardware

line vty 0 4

transport input ssh

!

scheduler allocate 20000 1000

!

end

Georg Pauwen · ‎08-14-2021

Hello,

with VLAN2 I assume you mean Vlan 100 (the Vlan interface you have created) ?

Either way, you don't need any additional routing (as long as whatever clients exist in Vlan 100 are directly connected to your router.

In the configuration below, interfaces GigabitEthernet4 and 5 have been assigned to the new Vlan. Here is what the config should look like (important parts marked in bold):

Current configuration : 2906 bytes

!

! Last configuration change at 16:00:12 GMT Mon Aug 9 2021 by admin1

version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Pxxxxxc_Sxx-Cisco800
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
enable secret 5 $xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
aaa new-model
!
aaa session-id common
clock timezone GMT 8 0
!
--> ip dhcp excluded-address 192.168.1.1 192.168.1.30
--> ip dhcp excluded-address 192.168.30.1
!
ip dhcp pool one
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 165.21.83.88 165.21.100.88
!
--> ip dhcp pool two
--> network 192.168.30.1 255.255.255.0
--> default-router 192.168.30.1
--> dns-server 8.8.8.8
!
ip domain name pxxxxxxxxxxxx.com
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
license udi pid C891F-K9 sn FXXXXXXXXXXX
!
username admin privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxx
username admin1 privilege 15 password 0 xxxxxxxxxx
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
lifetime 28800
crypto isakmp key sxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxa hostname kyoten2
crypto isakmp keepalive 30
!
crypto ipsec transform-set IPSEC esp-aes 256 esp-sha-hmac
mode tunnel
!
crypto dynamic-map sa1-dynamic 10
set transform-set IPSEC
set pfs group5
!
crypto map sa1 1 ipsec-isakmp dynamic sa1-dynamic
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface FastEthernet0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0
no ip address
duplex full
!
interface GigabitEthernet1
no ip address
!
interface GigabitEthernet2
no ip address
!
interface GigabitEthernet3
no ip address
!
interface GigabitEthernet4
--> switchport access vlan 100
!
interface GigabitEthernet5
--> switchport access vlan 100
!
interface GigabitEthernet6
no ip address
!
interface GigabitEthernet7
no ip address
!
interface GigabitEthernet8
ip address 42.xx.xx.yyy 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex full
speed 1000
crypto map sa1
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
--> interface Vlan100
--> ip address 192.168.30.1 255.255.255.0
--> ip nat inside
--> ip virtual-reassembly in
!
interface Async3
no ip address
encapsulation slip
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip nat inside source route-map nonat interface GigabitEthernet8 overload
ip route 0.0.0.0 0.0.0.0 42.xx.xx.yyy
!
--> route-map nonat permit 10
--> match ip address 101
--> match interface GigabitEthernet8
!
--> access-list 101 deny ip 192.168.1.0 0.0.0.255 172.31.152.0 0.0.0.255
--> access-list 101 deny ip 192.168.30.0 0.0.0.255 172.31.152.0 0.0.0.255
--> access-list 101 permit ip 192.168.1.0 0.0.0.255 any
--> access-list 101 permit 192.168.30.0 0.0.0.255 any
!
control-plane
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
line con 0
no modem enable
line aux 0
line 3
modem InOut
speed 115200
flowcontrol hardware
line vty 0 4
transport input ssh
!
scheduler allocate 20000 1000
!
end

hochgenub · ‎08-20-2021

Hi

I input the lines as per your suggestions but now my old 192.168.1.1 dhcp
pool isn't able to connect to the internet.

Seems now the operable gateway is 192.168.30.1

Please help! Thanks, urgent

Georg Pauwen · ‎08-20-2021

Hello,

post the current running configuration (sh run)...

hochgenub · ‎08-20-2021

Hi Georg

Below is the latest sh run. Thanks in advance!

Building configuration...

Current configuration : 3186 bytes

!

! Last configuration change at 15:56:09 GMT Fri Aug 20 2021 by admin1

version 15.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Pxxxc_Swww-Cisco800

!

boot-start-marker

boot-end-marker

!

aqm-register-fnf

!

enable secret 5 $xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

aaa new-model

!

!

!

!

!

!

!

aaa session-id common

clock timezone GMT 8 0

!

!

!

!

!

!

!

ip dhcp excluded-address 192.168.1.2 192.168.1.30

ip dhcp excluded-address 192.168.30.1

!

ip dhcp pool one

network 192.168.1.0 255.255.255.0

default-router 192.168.1.1

dns-server 165.21.83.88 165.21.100.88

!

ip dhcp pool VLAN2

network 192.168.30.0 255.255.255.0

default-router 192.168.30.1

dns-server 165.21.83.88 165.21.100.88

!

!

!

ip domain name pxxxxx.com

ip cef

no ipv6 cef

!

!

!

!

!

multilink bundle-name authenticated

!

!

!

!

!

!

!

license udi pid C891F-K9 sn Fxxxxxxxxxxxxx

!

!

username admin privilege 15 secret 5 $xxxxxxxxxxxxxxxxxxxxxxxxxxxx

username admin1 privilege 15 password 0 xxxxxxxx

!

!

!

!

!

!

!

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 5

lifetime 28800

crypto isakmp key sxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx hostname kxxxxxx

crypto isakmp keepalive 30

!

!

crypto ipsec transform-set IPSEC esp-aes 256 esp-sha-hmac

mode tunnel

!

!

!

crypto dynamic-map sa1-dynamic 10

set transform-set IPSEC

set pfs group5

!

!

crypto map sa1 1 ipsec-isakmp dynamic sa1-dynamic

!

!

!

!

!

!

interface BRI0

no ip address

encapsulation hdlc

shutdown

isdn termination multidrop

!

interface FastEthernet0

no ip address

duplex full

speed auto

!

interface GigabitEthernet0

no ip address

duplex full

!

interface GigabitEthernet1

no ip address

!

interface GigabitEthernet2

no ip address

!

interface GigabitEthernet3

no ip address

!

interface GigabitEthernet4

switchport access vlan 100

no ip address

!

interface GigabitEthernet5

no ip address

!

interface GigabitEthernet6

no ip address

!

interface GigabitEthernet7

no ip address

!

interface GigabitEthernet8

ip address 42.xx.xxxx.xxx 255.255.255.252

ip nat outside

ip virtual-reassembly in

duplex full

speed 1000

crypto map sa1

!

interface Vlan1

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface Vlan100

ip address 192.168.30.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface Async3

no ip address

encapsulation slip

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

!

ip nat inside source route-map nonat interface GigabitEthernet8 overload

ip route 0.0.0.0 0.0.0.0 42.xx.xxx.xxx

!

!

route-map nonat permit 10

match ip address 101

match interface GigabitEthernet8

!

access-list 101 deny ip 192.168.30.0 0.0.0.255 172.31.1.0 0.0.0.255

access-list 101 permit ip any any

!

!

!

control-plane

!

!

!

mgcp behavior rsip-range tgcp-only

mgcp behavior comedia-role none

mgcp behavior comedia-check-media-src disable

mgcp behavior comedia-sdp-force disable

!

mgcp profile default

!

!

!

!

!

line con 0

no modem enable

line aux 0

line 3

modem InOut

speed 115200

flowcontrol hardware

line vty 0 4

transport input ssh

!

scheduler allocate 20000 1000

!

end

Richard Burts · ‎08-21-2021

Thanks for posting the running config. Based on what I see in the config I would expect that both networks should be able to access the Internet. Am I correct in understanding that devices in 192.168.1.0 can not access the Internet but devices in 192.168.30.0 can access the Internet? If so can you tell me about these questions:

- can a device in the 192.168.1.0 ping the 192.168.1.1 address?

- can a device in the 192.168.1.0 ping the 192.168.30.1 address?

- can a device in the 192.168.1.0 ping a device in the 192.168.30.0?

The only thing that I see in the config that is unique about 192.168.30.0 is in the access list 101 used for address translation. Did this exist before you added the second DHCP pool?

HTH

Rick

hochgenub · ‎08-21-2021

Hi Richard

Thanks for your reply

Am I correct in understanding that devices in 192.168.1.0 can not access
the Internet but devices in 192.168.30.0 can access the Internet?

> yes, you are correct. Devices on 192.168.1.0 cannot access internet but
they can still see each other in the same pool. Those in 30.0 cannot see
devices on 1.0 but can access internet.

If so can you tell me about these questions:

- can a device in the 192.168.1.0 ping the 192.168.1.1 address?

> yes

- can a device in the 192.168.1.0 ping the 192.168.30.1 address?

> no

- can a device in the 192.168.1.0 ping a device in the 192.168.30.0?

> no

The only thing that I see in the config that is unique about 192.168.30.0
is in the access list 101 used for address translation. Did this exist
before you added the second DHCP pool?
> no. The access list 101 was added the same time the 30.0 pool was created.

Any fix for this please?

Thanks again!

Georg Pauwen · ‎08-21-2021

Hello,

which ports on the router are the clients connected to that are supposed to get a 192.168.1.0/24 address ? Currently, only port GigabitEthernet4 is assigned to Vlan 100, so anything connected to this port will get an IP address in the 192.168.30.0/24 range. Anything connected to any of the other ports should get an IP address in the 192.168.1.0/24 range. Can you post the output of:

sh interfaces brief

Also, make the changes marked in bold to your configuration:

Current configuration : 3186 bytes
!
! Last configuration change at 15:56:09 GMT Fri Aug 20 2021 by admin1
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Pxxxc_Swww-Cisco800
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
enable secret 5 $xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
aaa new-model
!
aaa session-id common
clock timezone GMT 8 0
!
--> ip dhcp excluded-address 192.168.1.1 192.168.1.30
ip dhcp excluded-address 192.168.30.1
!
ip dhcp pool one
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 165.21.83.88 165.21.100.88
!
--> ip dhcp pool VLAN100
network 192.168.30.0 255.255.255.0
default-router 192.168.30.1
dns-server 165.21.83.88 165.21.100.88
!
ip domain name pxxxxx.com
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
license udi pid C891F-K9 sn Fxxxxxxxxxxxxx
!
username admin privilege 15 secret 5 $xxxxxxxxxxxxxxxxxxxxxxxxxxxx
username admin1 privilege 15 password 0 xxxxxxxx
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
lifetime 2880
crypto isakmp key sxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx hostname kxxxxxx
crypto isakmp keepalive 30
!
crypto ipsec transform-set IPSEC esp-aes 256 esp-sha-hmac
mode tunnel
!
crypto dynamic-map sa1-dynamic 10
set transform-set IPSEC
set pfs group5
!
crypto map sa1 1 ipsec-isakmp dynamic sa1-dynamic
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface FastEthernet0
no ip addres
duplex full
speed auto
!
interface GigabitEthernet0
no ip address
duplex full
!
interface GigabitEthernet1
no ip address
!
interface GigabitEthernet2
no ip address
!
interface GigabitEthernet3
no ip address
!
interface GigabitEthernet4
switchport access vlan 100
no ip address
!
interface GigabitEthernet5
no ip address
!
interface GigabitEthernet6
no ip address
!
interface GigabitEthernet7
no ip address
!
interface GigabitEthernet8
ip address 42.xx.xxxx.xxx 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex full
speed 1000
crypto map sa1
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan100
ip address 192.168.30.1 255.255.255.0
ip nat inside

ip virtual-reassembly in
!
interface Async3
no ip address
encapsulation slip
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip nat inside source route-map nonat interface GigabitEthernet8 overload
ip route 0.0.0.0 0.0.0.0 42.xx.xxx.xxx
!
route-map nonat permit 10
match ip address 101
match interface GigabitEthernet8
!
access-list 101 deny ip 192.168.30.0 0.0.0.255 172.31.1.0 0.0.0.255
--> access-list 101 permit ip 192.168.1.0 0.0.0.255 any
--> access-list 101 permit ip 192.168.30.1 0.0.0.255 any
!
control-plane
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
line con 0
no modem enable
line aux 0
line 3
modem InOut
speed 115200
flowcontrol hardware
line vty 0 4
transport input ssh
!
scheduler allocate 20000 1000
!
end