Router A:

crypto isakmp policy 1

hash md5

authentication pre-share

!

crypto isakmp policy 10

hash md5

authentication pre-share

!

crypto isakmp key vpnuser address 38.2.10.1

crypto isakmp key vpnuser address 42.10.1.2

!

!

!

crypto ipsec transform-set myset esp-des esp-md5-hmac

!

crypto map mymap 1 ipsec-isakmp

set peer 42.10.1.2

set transform-set myset

match address ann

!

crypto map mymap 10 ipsec-isakmp

set peer 38.2.10.1

set transform-set myset

match address parents

!

!

!

!

!

!

spanning-tree mode pvst

!

!

!

!

!

!

interface FastEthernet0/0

ip address 38.1.10.1 255.255.255.0

ip nat outside

duplex auto

speed auto

crypto map mymap

!

interface FastEthernet0/1

ip address 192.168.9.1 255.255.255.0

ip nat inside

duplex auto

speed auto

!

interface Vlan1

no ip address

shutdown

!

ip nat inside source list 101 interface FastEthernet0/0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 38.1.10.2

!

ip flow-export version 9

!

!

ip access-list extended ann

permit ip 192.168.9.0 0.0.0.255 192.168.3.0 0.0.0.255

ip access-list extended parents

permit ip 192.168.9.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 101 remark == [Control NAT Service]==

access-list 101 deny ip 192.168.9.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 101 deny ip 192.168.9.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 101 permit ip 192.168.0.0 0.0.255.255 any

Router B

crypto isakmp policy 10

hash md5

authentication pre-share

!

crypto isakmp key vpnuser address 38.1.10.1

!

!

!

crypto ipsec transform-set myset esp-des esp-md5-hmac

!

crypto map mymap 10 ipsec-isakmp

set peer 38.1.10.1

set transform-set myset

match address ann

!

!

!

!

!

!

spanning-tree mode pvst

!

!

!

!

!

!

interface FastEthernet0/0

ip address 38.2.10.1 255.255.255.0

ip nat outside

duplex auto

speed auto

crypto map mymap

!

interface FastEthernet0/1

ip address 192.168.2.1 255.255.255.0

ip nat inside

duplex auto

speed auto

!

interface Vlan1

no ip address

shutdown

!

ip nat inside source list 101 interface FastEthernet0/0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 38.2.10.2

!

ip flow-export version 9

!

!

ip access-list extended ann

permit ip 192.168.2.0 0.0.0.255 192.168.9.0 0.0.0.255

access-list 101 remark == [Control NAT Service]==

access-list 101 deny ip 192.168.2.0 0.0.0.255 192.168.9.0 0.0.0.255

access-list 101 permit ip 192.168.0.0 0.0.255.255 any

Router C

crypto isakmp policy 1

hash md5

authentication pre-share

!

crypto isakmp key vpnuser address 38.1.10.1

!

!

!

crypto ipsec transform-set myset esp-des esp-md5-hmac

!

crypto map mymap 1 ipsec-isakmp

set peer 38.1.10.1

set transform-set myset

match address ann

!

!

!

!

!

!

spanning-tree mode pvst

!

!

!

!

!

!

interface FastEthernet0/0

ip address 42.10.1.2 255.255.255.0

ip nat outside

duplex auto

speed auto

crypto map mymap

!

interface FastEthernet0/1

ip address 192.168.3.1 255.255.255.0

ip nat inside

duplex auto

speed auto

!

interface Vlan1

no ip address

shutdown

!

ip nat inside source list 101 interface FastEthernet0/0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 42.10.1.1

!

ip flow-export version 9

!

!

ip access-list extended ann

permit ip 192.168.3.0 0.0.0.255 192.168.9.0 0.0.0.255

access-list 101 remark == [Control NAT Service]==

access-list 101 deny ip 192.168.3.0 0.0.0.255 192.168.9.0 0.0.0.255

access-list 101 permit ip 192.168.0.0 0.0.255.255 any