Site A (cisco 881 - Version 15.2(4)M4)
Tunnel:
crypto map MYCRYPTO 20 ipsec-isakmp
description DC
set peer X.X.X.X
set transform-set MYSET2
match address DC_VPN
crypto ipsec transform-set MYSET2 esp-3des esp-md5-hmac
mode tunnel
ACL (first two entries are for testing purpose):
ip access-list extended DC_VPN
permit ip host 192.168.40.2 host 192.168.3.250
permit ip host 192.168.40.36 host 192.168.3.250
permit ip 192.168.40.0 0.0.0.255 192.168.3.0 0.0.0.255
ACL for NAT/no-NAT:
ip access-list extended NAT
deny ip 192.168.40.0 0.0.0.255 192.168.3.0 0.0.0.255 log
deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
permit ip 192.168.40.0 0.0.0.255 any
Public interface:
interface FastEthernet4
description ### WAN ###
ip address Y.Y.Y.Y
ip access-group OUTSIDE_IN in
ip nat outside
ip inspect INSIDE_OUT out
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
crypto map MYCRYPTO
ip access-list extended OUTSIDE_IN
permit icmp any any
permit esp any any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
deny ip any any
Site B (cisco 1921 - Version 15.2(2)T1)
Tunnel:
crypto map MYCRYPTO 20 ipsec-isakmp
description SAN
set peer Y.Y.Y.Y
set transform-set ESP-3DES
match address SAN
crypto ipsec transform-set ESP-3DES esp-3des esp-md5-hmac
ACL:
ip access-list extended SAN
permit ip host 192.168.3.250 host 192.168.40.2
permit ip host 192.168.3.250 host 192.168.40.36
permit ip 192.168.3.0 0.0.0.255 192.168.40.0 0.0.0.255
ACL for NAT/no-NAT:
ip access-list extended NAT
deny ip 192.168.3.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip 192.168.3.0 0.0.0.255 any
Public interface:
interface GigabitEthernet0/0
description ### WAN ###
bandwidth 100000
ip address X.X.X.X
ip access-group INTERNET_IN in
ip nat outside
ip inspect INTERNET_OUT out
ip virtual-reassembly in max-reassemblies 64
duplex full
speed 100
crypto map MYCRYPTO
service-policy output int_WAN
ip access-list extended INTERNET_IN
permit icmp any any
permit esp any any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
...
deny ip any any
