Hi Harish,
Some users on the internal network (Behind the cisco router) need to use the cisco vpn to access resources external to our network. So we need VPN passthrough.
This router is behind the ISPs router, which is forwarding all traffic.
Here is the config, this for your help
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 3600
!
crypto isakmp client configuration group VPN_CLIENTS
key 1111111111
dns xx.xx.xx.xx
pool VPN_CLIENT_POOL
acl 110
!
!
crypto ipsec transform-set TRANS_3DES_SHA esp-3des esp-sha-hmac
!
crypto dynamic-map EXT_DYNAMIC_MAP 10
set transform-set TRANS_3DES_SHA
!
!
crypto map EXT_MAP client authentication list VPN_CLIENT_LOGIN
crypto map EXT_MAP isakmp authorization list VPN_CLIENT_GROUP
crypto map EXT_MAP client configuration address respond
crypto map EXT_MAP 10 ipsec-isakmp dynamic EXT_DYNAMIC_MAP
!
!
!
!
!
interface FastEthernet0/0
ip address 10.88.48.1 255.255.252.0
ip access-group OUTBOUND_FILTER in
no ip redirects
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface FastEthernet0/1
description To Internet
ip address 192.168.51.250 255.255.255.0
ip access-group INBOUND_FILTER in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map EXT_MAP
!
interface Serial0/0/0
no ip address
shutdown
clock rate 2000000
!
interface FastEthernet0/1/0
no ip address
shutdown
duplex auto
speed auto
!
ip local pool VPN_CLIENT_POOL 192.168.255.20 192.168.255.50
no ip forward-protocol nd
no ip http server
ip http secure-server
!
!
ip nat inside source list 101 interface FastEthernet0/1 overload
ip nat inside source static tcp 10.88.49.59 21 interface FastEthernet0/1 21
ip route 0.0.0.0 0.0.0.0 192.168.51.100
!
ip access-list standard SNMP-ACL
permit 10.75.139.90
deny any log
ip access-list standard SSH-ACL
permit Public external IP
!
ip access-list extended INBOUND_FILTER
permit udp any eq domain any
permit tcp any eq domain any
permit tcp any eq www any
permit tcp any eq 563 any
permit udp any eq 563 any
permit tcp any eq 443 any
permit udp any eq 443 any
permit tcp any any eq 1723
permit tcp any eq ftp any
permit gre any any
permit tcp any eq 3389 any
permit tcp any eq ftp-data any
permit tcp any any range 1023 65535
permit icmp any any
permit tcp any eq 1723 any
permit tcp any eq smtp any
permit tcp any eq pop3 any
permit tcp any host Public external IP
permit tcp host Public external IP host 192.168.51.250 eq 22
permit udp any host 192.168.51.250 eq isakmp
permit udp any host 192.168.51.250 eq non500-isakmp
permit esp any host 192.168.51.250
permit ahp any host 192.168.51.250
ip access-list extended OUTBOUND_FILTER
permit tcp host 10.88.48.33 any eq smtp
deny tcp 10.88.48.0 0.0.0.255 any eq smtp
permit ip any any
permit icmp any any
!
logging esm config
access-list 101 deny ip 10.88.0.0 0.0.255.255 192.168.255.0 0.0.0.255
access-list 101 deny ip 10.88.48.0 0.0.0.255 192.168.255.0 0.0.0.255
access-list 101 permit ip 10.88.0.0 0.0.255.255 any
access-list 110 permit ip 10.88.0.0 0.0.255.255 192.168.255.0 0.0.0.255
access-list 110 permit ip 10.88.48.0 0.0.0.255 192.168.255.0 0.0.0.255
!
!
!
snmp-server community Stanley RO SNMP-ACL
snmp-server ifindex persist
snmp-server enable traps tty
!
!
!
control-plane
!
!
banner login
*****************************************************************
******************************************************************
!
line con 0
exec-timeout 30 0
logging synchronous
line aux 0
line vty 0 4
exec-timeout 30 0
logging synchronous
transport input ssh
!
scheduler allocate 20000 1000
ntp source FastEthernet0/0
end
