o co common ? VPN SITE TO SITE

Problemy z zakresu security (VPN, firewall, IDS/IPS itp.)
ODPOWIEDZ
Wiadomość
Autor
Awatar użytkownika
posiu
wannabe
wannabe
Posty: 234
Rejestracja: 08 kwie 2006, 10:42
Lokalizacja: Warszawa
Kontakt:
Skontaktuj się z posiu

#16

#16 Post autor: posiu »

daj jeszcze na np 871:

Kod: Zaznacz cały


clear crypto sa peer 62.87.xx.xx
i generuj jakis zainteresowany ruch...
"...co pan myśli, że jeśli nie podbijam karty w fabryce azbestu, o siódmej, albo drutu, albo nie napierdalam z datownikiem, listy na poczcie do szesnastej to nie jestem w pracy?! Kumasz pan to, czy masz pan za daleko do łba?! Ja tutaj właśnie pracuję!..."
Na górę
Awatar użytkownika
umbro
wannabe
wannabe
Posty: 321
Rejestracja: 07 mar 2009, 21:20

#17

#17 Post autor: umbro »

Nic nie dało, status down, proba pinga na 10.1.1.1 failed :/
Jedno pytanie :
crypto map SDM_CMAP_1 1 ipsec-isakmp
description skl27->Head
set peer 62.87.xx.xx
set transform-set ESP-3DES-SHA
match address 110 <---- Co to jest ?

Tak na prawdę to oprócz adresacji sieci lokalnej to właśnie tylko tym się różnią konfiguracje innych routerów łączących się vpn do centralnego.
Na górę
Awatar użytkownika
gryglas
wannabe
wannabe
Posty: 1790
Rejestracja: 09 maja 2006, 07:56
Lokalizacja: Warsaw, PL

#18

#18 Post autor: gryglas »

z router 871 usuń md5 :

Kod: Zaznacz cały

crypto isakmp policy 1
 encr 3des
 authentication pre-share
następnie jak tunel się nie zapnie , na routerze 871 z CLI wpisz :

Kod: Zaznacz cały

debug crypto isakmp sa 
debug crypto ipsec sa 
terminal monitor
nawiąż połączenie VPN ( pingnij lokalny adres 2800 ) i wklej to co dostaniesz ( tylko całość ).
inaczej bedziemy jeszcze z tydzień nad tym siedzieć.

Posiu://
Kolega ma problem w fazie pierwszej , do NATu pewnie jeszcze dojdziemy
https://vpnonline.pl - Twój prywatny VPN - 61 serwery VPN w 29 lokalizacjach na świecie, 470 adresów IP.
Na górę
Awatar użytkownika
umbro
wannabe
wannabe
Posty: 321
Rejestracja: 07 mar 2009, 21:20

#19

#19 Post autor: umbro »

ok tunel się nie zapiął (widze to na sdm-ie na centralnym routerze):
Usunołem hash md5

I teraz jak próbuje wykonać polecenia debug:
rt31#debug crypto isakmp sa
^
% Invalid input detected at '^' marker.


rt31#debug crypto isakmp ?
error ISAKMP Errors
ha ISAKMP High Availability
<cr>
Na górę
Awatar użytkownika
posiu
wannabe
wannabe
Posty: 234
Rejestracja: 08 kwie 2006, 10:42
Lokalizacja: Warszawa
Kontakt:
Skontaktuj się z posiu

#20

#20 Post autor: posiu »

umbro pisze:Nic nie dało, status down, proba pinga na 10.1.1.1 failed :/

match address 110 <---- Co to jest ?
Definiujesz tutaj ruch jaki ma byc szyfrowany i wpadac w tego vpn...

Daj jeszcze z 871 zrzuty takich komend:

Kod: Zaznacz cały

sh crypto isakmp sa
sh crypto ipsec sa
i zrób to co mówi gryglas...
"...co pan myśli, że jeśli nie podbijam karty w fabryce azbestu, o siódmej, albo drutu, albo nie napierdalam z datownikiem, listy na poczcie do szesnastej to nie jestem w pracy?! Kumasz pan to, czy masz pan za daleko do łba?! Ja tutaj właśnie pracuję!..."
Na górę
Awatar użytkownika
gryglas
wannabe
wannabe
Posty: 1790
Rejestracja: 09 maja 2006, 07:56
Lokalizacja: Warsaw, PL

#21

#21 Post autor: gryglas »

umbro pisze:ok tunel się nie zapiął (widze to na sdm-ie na centralnym routerze):
Usunołem hash md5

I teraz jak próbuje wykonać polecenia debug:
rt31#debug crypto isakmp sa
^
% Invalid input detected at '^' marker.


rt31#debug crypto isakmp ?
error ISAKMP Errors
ha ISAKMP High Availability
<cr>
spróbuj :

Kod: Zaznacz cały

 debug crypto isakmp  [ enter]
debug crypto ipsec [ enter ]
Czy ten ostatni wklejony konfig jest aktualny od 871 i wcześniejszy od 2800 ?
Ostatnio zmieniony 08 mar 2009, 12:08 przez gryglas, łącznie zmieniany 2 razy.
https://vpnonline.pl - Twój prywatny VPN - 61 serwery VPN w 29 lokalizacjach na świecie, 470 adresów IP.
Na górę
Awatar użytkownika
umbro
wannabe
wannabe
Posty: 321
Rejestracja: 07 mar 2009, 21:20

#22

#22 Post autor: umbro »

rt31#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status

IPv6 Crypto ISAKMP SA

rt31#sh cr
rt31#sh crypto ipse
rt31#sh crypto ipsec sa

rt31#
Na górę
Awatar użytkownika
umbro
wannabe
wannabe
Posty: 321
Rejestracja: 07 mar 2009, 21:20

#23

#23 Post autor: umbro »

gryblas:
Oto co dostałem
rt31#debug crypto isakmp
Crypto ISAKMP debugging is on
rt31#debug cry
rt31#debug crypto ipsec
Crypto IPSEC debugging is on
rt31#te
rt31#mo
rt31#moni
rt31#monitor term
rt31#monitor termi
rt31#terminal monitor
rt31#
Na górę
Awatar użytkownika
posiu
wannabe
wannabe
Posty: 234
Rejestracja: 08 kwie 2006, 10:42
Lokalizacja: Warszawa
Kontakt:
Skontaktuj się z posiu

#24

#24 Post autor: posiu »

to pojsc teraz ping pomiedzy dwoma lanami albo jakis inny ruch .. pomiedzy 10.1.1.0<->192.168.31.0
Pokaz jeszcze ta acl NAT z 871 bo jak pinguje od tamtej strony a nat jest zle zrobiony to pakiety nie beda wpadac w tunel i w debugu nic nie zobaczymy...

I wklej aktualne dwa konfigi...
"...co pan myśli, że jeśli nie podbijam karty w fabryce azbestu, o siódmej, albo drutu, albo nie napierdalam z datownikiem, listy na poczcie do szesnastej to nie jestem w pracy?! Kumasz pan to, czy masz pan za daleko do łba?! Ja tutaj właśnie pracuję!..."
Na górę
Awatar użytkownika
umbro
wannabe
wannabe
Posty: 321
Rejestracja: 07 mar 2009, 21:20

#25

#25 Post autor: umbro »

centralny sie nie zmienił ,
a 871 aktualnie wyglada tak:

Kod: Zaznacz cały

rt31(config)#exit
rt31#sh run
Building configuration...

Current configuration : 6853 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname rt31
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 $1$lygk$xAeiu8NjnNYl8MNpLsKB7/
!
no aaa new-model
clock timezone PCTime 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
!
crypto pki trustpoint TP-self-signed-3871084757
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3871084757
 revocation-check none
 rsakeypair TP-self-signed-3871084757
!
!
crypto pki certificate chain TP-self-signed-3871084757
 certificate self-signed 01
  30820249 308201B2 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33383731 30383437 3537301E 170D3032 30333031 30313439
  33345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 38373130
  38343735 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100CCCF A6A656F6 21C3DF95 9C062610 AD85893B 9D785905 40C411B1 99AF0FEB
  4F7BB983 1B81ED2A E238E9CD 1A74BAE4 64E9E392 0148DE2F 26301E6A F6CE7096
  A351B588 DD7F3ECE 94748442 7E6BA11C 265CC498 14F77474 CE362DAB 45D4B3F9
  60A04BBC 4B24792D 1A5F5312 E92D3D4C 0B502A96 3D5AC1EE F6ADE65A 5819EEEA
  F4FB0203 010001A3 71306F30 0F060355 1D130101 FF040530 030101FF 301C0603
  551D1104 15301382 11727433 312E7072 696D616D 6F64612E 706C301F 0603551D
  23041830 168014D2 48492803 E35E7BCD B7B46CB5 29051D53 C1466830 1D060355
  1D0E0416 0414D248 492803E3 5E7BCDB7 B46CB529 051D53C1 4668300D 06092A86
  4886F70D 01010405 00038181 00B777D7 D2454731 75FC3710 FBD777A4 B41D1987
  9166C928 4EAA9FE6 D6772E22 27E3F3BD 6EDB7C77 C2B83D1E 58C332A6 3AAAECC6
  E39DD4BD DB9F97A7 3B37545F 8C98FF70 928E14EE 90C049A3 CEC04D00 E2F63521
  B700F4D0 224FBA26 058804C4 1C15CCB2 64292B78 651C28F1 E969B5F7 849F732B
  DB2BBA3B D0A23B2B 79C908A0 40
        quit
dot11 syslog
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.31.1
ip dhcp excluded-address 192.168.31.1 192.168.31.99
ip dhcp excluded-address 192.168.31.201 192.168.31.254
!
ip dhcp pool sdm-pool1
   import all
   network 192.168.31.0 255.255.255.0
   default-router 192.168.31.1
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
no ip bootp server
no ip domain lookup
ip domain name xx.pl
ip name-server 81.15.146.169
ip name-server 194.204.159.1
!
!
!
username admin privilege 15 secret 5 $1$s8hV$OJ.YqVWoofaAbvOuzSO/W/
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
crypto isakmp key 12345678910 address 62.87.xx.xx
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-md5-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 ! Incomplete
 description skl31->Head
 set peer 62.87.xx.xx
 set transform-set ESP-3DES-SHA
 match address 141
!
!
archive
 log config
  hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
interface FastEthernet0
!
 --More--
000065: *Mar  1 07:00:04.198 PCTime: %SYS-5-CONFIG_I: Configured from console
 admin on vty0 (192.1interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description $ES_WAN$$FW_OUTSIDE$
 mac-address 0002.7257.093f
 ip address dhcp client-id FastEthernet4
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 crypto map SDM_CMAP_1
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 192.168.31.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 212.77.xx.xx
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
ip nat inside source route-map rmap interface FastEthernet4 overload
!
ip access-list extended NAT
 deny   ip 192.168.31.0 0.0.0.255 192.168.0.0 0.0.0.255
 deny   ip 192.168.31.0 0.0.0.255 10.1.1.0 0.0.0.255
 permit ip 192.168.31.0 0.0.0.255 any
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.31.0 0.0.0.255
access-list 1 remark INSIDE_IF=VLAN1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.7
access-list 2 remark INSIDE_IF=VLAN1
access-list 2 remark SDM_ACL Category=4
access-list 2 permit 192.168.31.0 0.0.0.255
access-list 100 remark IPSEC Rule
access-list 100 permit ip 192.168.31.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 100 permit ip 192.168.31.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 101 remark SDM_ACL Category=2
access-list 101 permit ip 192.0.0.0 0.255.255.255 192.0.0.0 0.255.255.255
access-list 103 remark SDM_ACL Category=2
access-list 103 deny   ip 192.168.31.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 103 remark IPSEC Rule
access-list 103 deny   ip 192.168.31.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 103 permit ip 192.168.31.0 0.0.0.255 any
access-list 110 permit ip 192.168.31.0 0.0.0.255 10.1.1.0 0.0.0.255
no cdp run
!
!
route-map rmap permit 1
 match ip address NAT
!
route-map SDM_RMAP_1 permit 1
 match ip address 141
!
!
control-plane
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------

Cisco Router and Security Device Manager (SDM) is installed on this device an
it provides the default username "cisco" for  one-time use. If you have alrea
used the username "cisco" to login to the router and your IOS image supports

"one-time" user option, then this username has already expired. You will not
able to login to the router with this username after you exit this session.

It is strongly suggested that you create a new username with a privilege leve
of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you want to
use.

-----------------------------------------------------------------------
^C
banner login ^CCAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 no modem enable
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
Na górę
Awatar użytkownika
posiu
wannabe
wannabe
Posty: 234
Rejestracja: 08 kwie 2006, 10:42
Lokalizacja: Warszawa
Kontakt:
Skontaktuj się z posiu

#26

#26 Post autor: posiu »

Pokaz tez centralny bo tam tez zmienialismy rózne ACL...
"...co pan myśli, że jeśli nie podbijam karty w fabryce azbestu, o siódmej, albo drutu, albo nie napierdalam z datownikiem, listy na poczcie do szesnastej to nie jestem w pracy?! Kumasz pan to, czy masz pan za daleko do łba?! Ja tutaj właśnie pracuję!..."
Na górę
Awatar użytkownika
umbro
wannabe
wannabe
Posty: 321
Rejestracja: 07 mar 2009, 21:20

#27

#27 Post autor: umbro »

konf 871:

Kod: Zaznacz cały

rt31#sh run
Building configuration...

Current configuration : 6908 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname rt31
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 $1$lygk$xAeiu8NjnNYl8MNpLsKB7/
!
no aaa new-model
clock timezone PCTime 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
!
crypto pki trustpoint TP-self-signed-3871084757
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3871084757
 revocation-check none
 rsakeypair TP-self-signed-3871084757
!
!
crypto pki certificate chain TP-self-signed-3871084757
 certificate self-signed 01
  30820249 308201B2 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33383731 30383437 3537301E 170D3032 30333031 30313439
  33345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 38373130
  38343735 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100CCCF A6A656F6 21C3DF95 9C062610 AD85893B 9D785905 40C411B1 99AF0FEB
  4F7BB983 1B81ED2A E238E9CD 1A74BAE4 64E9E392 0148DE2F 26301E6A F6CE7096
  A351B588 DD7F3ECE 94748442 7E6BA11C 265CC498 14F77474 CE362DAB 45D4B3F9
  60A04BBC 4B24792D 1A5F5312 E92D3D4C 0B502A96 3D5AC1EE F6ADE65A 5819EEEA
  F4FB0203 010001A3 71306F30 0F060355 1D130101 FF040530 030101FF 301C0603
  551D1104 15301382 11727433 312E7072 696D616D 6F64612E 706C301F 0603551D
  23041830 168014D2 48492803 E35E7BCD B7B46CB5 29051D53 C1466830 1D060355
  1D0E0416 0414D248 492803E3 5E7BCDB7 B46CB529 051D53C1 4668300D 06092A86
  4886F70D 01010405 00038181 00B777D7 D2454731 75FC3710 FBD777A4 B41D1987
  9166C928 4EAA9FE6 D6772E22 27E3F3BD 6EDB7C77 C2B83D1E 58C332A6 3AAAECC6
  E39DD4BD DB9F97A7 3B37545F 8C98FF70 928E14EE 90C049A3 CEC04D00 E2F63521
  B700F4D0 224FBA26 058804C4 1C15CCB2 64292B78 651C28F1 E969B5F7 849F732B
  DB2BBA3B D0A23B2B 79C908A0 40
        quit
dot11 syslog
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.31.1
ip dhcp excluded-address 192.168.31.1 192.168.31.99
ip dhcp excluded-address 192.168.31.201 192.168.31.254
!
ip dhcp pool sdm-pool1
   import all
   network 192.168.31.0 255.255.255.0
   default-router 192.168.31.1
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
no ip bootp server
no ip domain lookup
ip domain name xx.pl
ip name-server 81.15.146.169
ip name-server 194.204.159.1
!
!
!
username admin privilege 15 secret 5 $1$s8hV$OJ.YqVWoofaAbvOuzSO/W/
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
crypto isakmp key 12345678910 address 62.87.xx.xx
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-md5-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description skl31->Head
 set peer 62.87.xx.xx
 set transform-set ESP-3DES-SHA
 match address 141
!
archive
 log config
  hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description $ES_WAN$$FW_OUTSIDE$
 mac-address 0002.7257.093f
 ip address dhcp client-id FastEthernet4
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 crypto map SDM_CMAP_1
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 192.168.31.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 212.77.xx.xx
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
ip nat inside source route-map rmap interface FastEthernet4 overload
!
ip access-list extended NAT
 deny   ip 192.168.31.0 0.0.0.255 192.168.0.0 0.0.0.255
 deny   ip 192.168.31.0 0.0.0.255 10.1.1.0 0.0.0.255
 permit ip 192.168.31.0 0.0.0.255 any
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.31.0 0.0.0.255
access-list 1 remark INSIDE_IF=VLAN1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.7
access-list 2 remark INSIDE_IF=VLAN1
access-list 2 remark SDM_ACL Category=4
access-list 2 permit 192.168.31.0 0.0.0.255
access-list 100 remark IPSEC Rule
access-list 100 permit ip 192.168.31.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 100 permit ip 192.168.31.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 101 remark SDM_ACL Category=2
access-list 101 permit ip 192.0.0.0 0.255.255.255 192.0.0.0 0.255.255.255
access-list 103 remark SDM_ACL Category=2
access-list 103 deny   ip 192.168.31.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 103 remark IPSEC Rule
access-list 103 deny   ip 192.168.31.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 103 permit ip 192.168.31.0 0.0.0.255 any
access-list 110 permit ip 192.168.31.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 141 permit ip 192.168.31.0 0.0.0.255 192.168.0.0 0.0.0.255
no cdp run
!
!
route-map rmap permit 1
 match ip address NAT
!
route-map SDM_RMAP_1 permit 1
 match ip address 141
!
!
control-plane
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------

Cisco Router and Security Device Manager (SDM) is installed on this device and
it provides the default username "cisco" for  one-time use. If you have already
used the username "cisco" to login to the router and your IOS image supports the

"one-time" user option, then this username has already expired. You will not be
able to login to the router with this username after you exit this session.

It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you want to
use.

-----------------------------------------------------------------------
^C
banner login ^CCAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 no modem enable
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
Centralny(jest dość duży, moje wpisy od access-list sa na końcu wiec się nie przeraźcie):

Kod: Zaznacz cały

!This is the running config of the router: 10.1.1.1
!----------------------------------------------------------------------------
!version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname RT00
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 52000 debugging
enable secret 5 $1$.Ir4$5Sh8DZRJJeON3cXbqBgUR0
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local 
aaa authorization network sdm_vpn_group_ml_1 local 
aaa authorization network sdm_vpn_group_ml_2 local 
!
aaa session-id common
!
resource policy
!
ip subnet-zero
ip tcp synwait-time 10
!
!
ip cef
!
!
no ip bootp server
ip domain name xx.pl
ip name-server 192.168.0.253
!
!
voice-card 0
 no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-1965592476
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1965592476
 revocation-check none
 rsakeypair TP-self-signed-1965592476
!
!
crypto pki certificate chain TP-self-signed-1965592476
 certificate self-signed 01
  30820249 308201B2 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 31393635 35393234 3736301E 170D3037 31323131 31323532 
  33345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 39363535 
  39323437 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
  8100DF05 91C48915 20DDA711 4A47280F 38505F29 C875D308 07B3D7C2 45C6E5AA 
  8B55A8B3 B81DBD33 23334C23 5733DC91 7B9E7695 76845DAB 53DCEAE0 7CE0C32F 
  B866987D E22EC403 3A8FC3E8 3CB1004D 68792840 DF575EA5 FCA8584E FEDB1573 
  40DA49DB B2C27834 781BD4AA AF035B5B FBD28187 830119FF 17EA1E55 A74322C7 
  E1A90203 010001A3 71306F30 0F060355 1D130101 FF040530 030101FF 301C0603 
  551D1104 15301382 11525430 302E7072 696D616D 6F64612E 706C301F 0603551D 
  23041830 1680145F 65B89E07 4CDFCEB2 5ACA29AD B96A249B AAB3C830 1D060355 
  1D0E0416 04145F65 B89E074C DFCEB25A CA29ADB9 6A249BAA B3C8300D 06092A86 
  4886F70D 01010405 00038181 006E547D 206801AB 865CB2F2 7F554641 0C3564CB 
  1619A351 6D660BD5 C1E3B778 E00CE803 5B2F57F4 F3735F6B 6C077B45 3B08E974 
  B0D1EDB0 328E6A9A D1726453 AC7DC3EA 0E20DED8 C4302FE5 FBF9E0E8 8EF27740 
  7A4A9E24 161B00BB ECF7DB62 BF4CDB92 317817DF 14B9B46E 81A8A081 EC050F1B 
  87D3643E 00723E75 CD14840B 65
  quit
username admin privilege 15 secret 5 $1$m8yp$/Y5E1quEHpCz7F7IO4Lh40
!
! 
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
!
crypto isakmp policy 2
 hash md5
 authentication pre-share

crypto isakmp key 12345678910 address 88.156.xx.xx no-xauth
crypto isakmp keepalive 10
crypto isakmp xauth timeout 15

!
crypto isakmp client configuration group menago
 key menago8
 pool SDM_POOL_1
 max-users 5
 netmask 255.255.255.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA1 esp-des esp-md5-hmac 
!

crypto map SDM_CMAP_1 43 ipsec-isakmp 
 description head->skl31
 set peer 88.156.89.202
 set transform-set ESP-3DES-SHA 
 match address 141
!
!
!
!
interface Null0
 no ip unreachables
!
interface GigabitEthernet0/0
 description $ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$FW_OUTSIDE$$ETH-LAN$
 ip address 192.168.0.1 255.255.255.0
 no ip unreachables
 no ip proxy-arp
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
!
interface GigabitEthernet0/1
 description $FW_INSIDE$$ETH-LAN$
 ip address 10.1.1.1 255.255.255.0
 no ip unreachables
 no ip proxy-arp
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet0/1/0
 vlan-id dot1q 1
  exit-vlan-config
 !
!
interface FastEthernet0/1/1
!
interface FastEthernet0/1/2
 switchport access vlan 2
!
interface FastEthernet0/1/3
 switchport access vlan 2
!
interface Serial0/0/0
 ip address 62.87.xx.xx 255.255.255.252
 ip verify unicast reverse-path
 no ip unreachables
 no ip proxy-arp
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1394
 crypto map SDM_CMAP_1
!
interface Vlan1
 no ip address
!
ip local pool SDM_POOL_1 192.168.0.210 192.168.0.220
ip classless
ip route 0.0.0.0 0.0.0.0 62.87.xx.xx
!
ip flow-top-talkers
 top 50
 sort-by bytes
!
ip http server
ip http access-class 99
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip access-list extended NAT
 remark SDM_ACL Category=2
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
 deny   ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.17.0 0.0.0.255
 deny   ip 10.1.1.0 0.0.0.255 192.168.17.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.80.0 0.0.0.255
 deny   ip 10.1.1.0 0.0.0.255 192.168.80.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.16.0 0.0.0.255
 deny   ip 10.1.1.0 0.0.0.255 192.168.16.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.23.0 0.0.0.255
 deny   ip 10.1.1.0 0.0.0.255 192.168.23.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.22.0 0.0.0.255
 deny   ip 10.1.1.0 0.0.0.255 192.168.22.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.9.0 0.0.0.255
 deny   ip 10.1.1.0 0.0.0.255 192.168.9.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.5.0 0.0.0.255
 deny   ip 10.1.1.0 0.0.0.255 192.168.5.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.19.0 0.0.0.255
 deny   ip 10.1.1.0 0.0.0.255 192.168.19.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.12.0 0.0.0.255
 deny   ip 10.1.1.0 0.0.0.255 192.168.12.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.8.0 0.0.0.255
 deny   ip 10.1.1.0 0.0.0.255 192.168.8.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.13.0 0.0.0.255
 deny   ip 10.1.1.0 0.0.0.255 192.168.13.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.56.0 0.0.0.255
 deny   ip 10.1.1.0 0.0.0.255 192.168.56.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.94.0 0.0.0.255
 deny   ip 10.1.1.0 0.0.0.255 192.168.94.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.21.0 0.0.0.255
 deny   ip 10.1.1.0 0.0.0.255 192.168.21.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.60.0 0.0.0.255
 deny   ip 10.1.1.0 0.0.0.255 192.168.60.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.81.0 0.0.0.255
 deny   ip 10.1.1.0 0.0.0.255 192.168.81.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.53.0 0.0.0.255
 deny   ip 10.1.1.0 0.0.0.255 192.168.53.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.20.0 0.0.0.255
 deny   ip 10.1.1.0 0.0.0.255 192.168.20.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.30.0 0.0.0.255
 deny   ip 10.1.1.0 0.0.0.255 192.168.30.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.7.0 0.0.0.255
 deny   ip 10.1.1.0 0.0.0.255 192.168.7.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.83.0 0.0.0.255
 deny   ip 10.1.1.0 0.0.0.255 192.168.83.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.6.0 0.0.0.255
 deny   ip 10.1.1.0 0.0.0.255 192.168.6.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255
 deny   ip 10.1.1.0 0.0.0.255 192.168.2.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.18.0 0.0.0.255
 deny   ip 10.1.1.0 0.0.0.255 192.168.18.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.11.0 0.0.0.255
 deny   ip 10.1.1.0 0.0.0.255 192.168.11.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.3.0 0.0.0.255
 deny   ip 10.1.1.0 0.0.0.255 192.168.3.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255
 deny   ip 10.1.1.0 0.0.0.255 192.168.10.0 0.0.0.255
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 deny   ip 192.168.83.0 0.0.0.255 10.1.1.0 0.0.0.255
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 permit ip 10.1.1.0 0.0.0.255 192.168.0.0 0.0.0.255
 remark SDM_ACL Category=2
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.31.0 0.0.0.255
 deny   ip 10.1.1.0 0.0.0.255 192.168.31.0 0.0.0.255
ip access-list extended NAT_RULE
 remark SDM_ACL Category=2
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.3.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.11.0 0.0.0.255
 deny   ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.17.0 0.0.0.255
 deny   ip 10.1.1.0 0.0.0.255 192.168.17.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.80.0 0.0.0.255
 deny   ip 10.1.1.0 0.0.0.255 192.168.16.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.16.0 0.0.0.255
 deny   ip 10.1.1.0 0.0.0.255 192.168.23.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.23.0 0.0.0.255
 deny   ip 10.1.1.0 0.0.0.255 192.168.22.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.22.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.9.0 0.0.0.255
 deny   ip 10.1.1.0 0.0.0.255 192.168.9.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.5.0 0.0.0.255
 deny   ip 10.1.1.0 0.0.0.255 192.168.5.0 0.0.0.255
 deny   ip 10.1.1.0 0.0.0.255 192.168.19.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.19.0 0.0.0.255
 deny   ip 10.1.1.0 0.0.0.255 192.168.12.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.12.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.8.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.13.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.56.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.94.0 0.0.0.255
 deny   ip 10.1.1.0 0.0.0.255 192.168.21.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.21.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.60.0 0.0.0.255
 deny   ip 10.1.1.0 0.0.0.255 192.168.81.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.81.0 0.0.0.255
 deny   ip 10.1.1.0 0.0.0.255 192.168.53.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.53.0 0.0.0.255
 deny   ip 10.1.1.0 0.0.0.255 192.168.20.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.20.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.30.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.7.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.83.0 0.0.0.255
 deny   ip 192.168.83.0 0.0.0.255 10.1.1.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.6.0 0.0.0.255
 deny   ip 10.1.1.0 0.0.0.255 192.168.6.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255
 deny   ip 10.1.1.0 0.0.0.255 192.168.2.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.18.0 0.0.0.255
 permit ip host 10.1.1.130 any
 remark SDM_ACL Category=2
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.31.0 0.0.0.255
 deny   ip 10.1.1.0 0.0.0.255 192.168.31.0 0.0.0.255
ip access-list extended NN
 remark SDM_ACL Category=2
 permit ip 10.1.1.0 0.0.0.255 192.168.0.0 0.0.255.255
 remark SDM_ACL Category=2
ip access-list extended internet
 remark company->internet
 remark SDM_ACL Category=2
 deny   ip 10.1.1.0 0.0.0.255 192.168.7.0 0.0.0.255
 deny   ip 10.1.1.0 0.0.0.255 192.168.30.0 0.0.0.255
 deny   ip 10.1.1.0 0.0.0.255 192.168.60.0 0.0.0.255
 deny   ip 10.1.1.0 0.0.0.255 192.168.56.0 0.0.0.255
 deny   ip 10.1.1.0 0.0.0.255 192.168.13.0 0.0.0.255
 deny   ip 10.1.1.0 0.0.0.255 192.168.8.0 0.0.0.255
 deny   ip 10.1.1.0 0.0.0.255 192.168.80.0 0.0.0.255
 deny   ip 10.1.1.0 0.0.0.255 192.168.83.0 0.0.0.255
 deny   ip 10.1.1.0 0.0.0.255 192.168.11.0 0.0.0.255
 deny   ip 10.1.1.0 0.0.0.255 192.168.3.0 0.0.0.255
 deny   ip 10.1.1.0 0.0.0.255 192.168.18.0 0.0.0.255
 deny   ip 10.1.1.0 0.0.0.255 192.168.10.0 0.0.0.255
 deny   ip 10.1.1.0 0.0.0.255 192.168.94.0 0.0.0.255
 deny   ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.17.0 0.0.0.255
 deny   ip 10.1.1.0 0.0.0.255 192.168.17.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.80.0 0.0.0.255
 deny   ip 10.1.1.0 0.0.0.255 192.168.16.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.16.0 0.0.0.255
 deny   ip 10.1.1.0 0.0.0.255 192.168.23.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.23.0 0.0.0.255
 deny   ip 10.1.1.0 0.0.0.255 192.168.22.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.22.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.9.0 0.0.0.255
 deny   ip 10.1.1.0 0.0.0.255 192.168.9.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.5.0 0.0.0.255
 deny   ip 10.1.1.0 0.0.0.255 192.168.5.0 0.0.0.255
 deny   ip 10.1.1.0 0.0.0.255 192.168.19.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.19.0 0.0.0.255
 deny   ip 10.1.1.0 0.0.0.255 192.168.12.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.12.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.8.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.13.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.56.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.94.0 0.0.0.255
 deny   ip 10.1.1.0 0.0.0.255 192.168.21.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.21.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.60.0 0.0.0.255
 deny   ip 10.1.1.0 0.0.0.255 192.168.81.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.81.0 0.0.0.255
 deny   ip 10.1.1.0 0.0.0.255 192.168.53.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.53.0 0.0.0.255
 deny   ip 10.1.1.0 0.0.0.255 192.168.20.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.20.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.30.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.7.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.83.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.6.0 0.0.0.255
 deny   ip 10.1.1.0 0.0.0.255 192.168.6.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255
 deny   ip 10.1.1.0 0.0.0.255 192.168.2.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.18.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.11.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.3.0 0.0.0.255
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255
 permit ip 10.1.1.0 0.0.0.255 any
 remark company->internet
 remark SDM_ACL Category=2
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 remark IPSec Rule
 deny   ip 192.168.0.0 0.0.0.255 192.168.31.0 0.0.0.255
 deny   ip 10.1.1.0 0.0.0.255 192.168.31.0 0.0.0.255
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.1.1.0 0.0.0.255
access-list 24 permit 192.168.0.0 0.0.0.255
access-list 99 remark SDM_ACL Category=16
access-list 99 permit 192.168.0.0 0.0.0.255
access-list 99 permit 10.1.1.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 permit ip 10.1.1.0 0.0.0.255 192.168.83.0 0.0.0.255
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.83.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 101 remark SDM_ACL Category=4
access-list 101 permit ip 10.1.1.0 0.0.0.255 192.168.14.0 0.0.0.255
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.14.0 0.0.0.255
access-list 102 remark SDM_ACL Category=4
access-list 102 permit ip 10.1.1.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.0.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 103 remark SDM_ACL Category=4
access-list 103 permit ip 10.1.1.0 0.0.0.255 192.168.80.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 permit ip 192.168.0.0 0.0.0.255 192.168.80.0 0.0.0.255
access-list 103 remark SDM_ACL Category=4
access-list 103 remark IPSec Rule
access-list 104 remark SDM_ACL Category=4
access-list 104 permit ip 10.1.1.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 104 remark IPSec Rule
access-list 104 permit ip 192.168.0.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 104 remark SDM_ACL Category=4
access-list 104 remark IPSec Rule
access-list 105 remark SDM_ACL Category=4
access-list 105 permit ip 10.1.1.0 0.0.0.255 192.168.23.0 0.0.0.255
access-list 105 remark IPSec Rule
access-list 105 permit ip 192.168.0.0 0.0.0.255 192.168.23.0 0.0.0.255
access-list 105 remark SDM_ACL Category=4
access-list 105 remark IPSec Rule
access-list 106 remark SDM_ACL Category=4
access-list 106 permit ip 10.1.1.0 0.0.0.255 192.168.22.0 0.0.0.255
access-list 106 remark IPSec Rule
access-list 106 permit ip 192.168.0.0 0.0.0.255 192.168.22.0 0.0.0.255
access-list 106 remark SDM_ACL Category=4
access-list 106 remark IPSec Rule
access-list 107 remark SDM_ACL Category=4
access-list 107 permit ip 10.1.1.0 0.0.0.255 192.168.9.0 0.0.0.255
access-list 107 remark IPSec Rule
access-list 107 permit ip 192.168.0.0 0.0.0.255 192.168.9.0 0.0.0.255
access-list 107 remark SDM_ACL Category=4
access-list 107 remark IPSec Rule
access-list 108 remark SDM_ACL Category=2
access-list 108 remark IPSec Rule
access-list 108 deny   ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 108 deny   ip 10.1.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 108 remark IPSec Rule
access-list 108 deny   ip 192.168.0.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 108 deny   ip 10.1.1.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 108 remark IPSec Rule
access-list 108 deny   ip 192.168.0.0 0.0.0.255 192.168.80.0 0.0.0.255
access-list 108 deny   ip 10.1.1.0 0.0.0.255 192.168.80.0 0.0.0.255
access-list 108 remark IPSec Rule
access-list 108 deny   ip 192.168.0.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 108 deny   ip 10.1.1.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 108 remark IPSec Rule
access-list 108 deny   ip 192.168.0.0 0.0.0.255 192.168.23.0 0.0.0.255
access-list 108 deny   ip 10.1.1.0 0.0.0.255 192.168.23.0 0.0.0.255
access-list 108 remark IPSec Rule
access-list 108 deny   ip 192.168.0.0 0.0.0.255 192.168.22.0 0.0.0.255
access-list 108 deny   ip 10.1.1.0 0.0.0.255 192.168.22.0 0.0.0.255
access-list 108 remark IPSec Rule
access-list 108 deny   ip 192.168.0.0 0.0.0.255 192.168.9.0 0.0.0.255
access-list 108 deny   ip 10.1.1.0 0.0.0.255 192.168.9.0 0.0.0.255
access-list 108 remark IPSec Rule
access-list 108 deny   ip 192.168.0.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 108 deny   ip 10.1.1.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 108 remark IPSec Rule
access-list 108 deny   ip 192.168.0.0 0.0.0.255 192.168.19.0 0.0.0.255
access-list 108 deny   ip 10.1.1.0 0.0.0.255 192.168.19.0 0.0.0.255
access-list 108 remark IPSec Rule
access-list 108 deny   ip 192.168.0.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 108 deny   ip 10.1.1.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 108 remark IPSec Rule
access-list 108 deny   ip 192.168.0.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 108 deny   ip 10.1.1.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 108 remark IPSec Rule
access-list 108 deny   ip 192.168.0.0 0.0.0.255 192.168.13.0 0.0.0.255
access-list 108 deny   ip 10.1.1.0 0.0.0.255 192.168.13.0 0.0.0.255
access-list 108 remark IPSec Rule
access-list 108 deny   ip 192.168.0.0 0.0.0.255 192.168.56.0 0.0.0.255
access-list 108 deny   ip 10.1.1.0 0.0.0.255 192.168.56.0 0.0.0.255
access-list 108 remark IPSec Rule
access-list 108 deny   ip 192.168.0.0 0.0.0.255 192.168.94.0 0.0.0.255
access-list 108 deny   ip 10.1.1.0 0.0.0.255 192.168.94.0 0.0.0.255
access-list 108 remark IPSec Rule
access-list 108 deny   ip 192.168.0.0 0.0.0.255 192.168.21.0 0.0.0.255
access-list 108 deny   ip 10.1.1.0 0.0.0.255 192.168.21.0 0.0.0.255
access-list 108 remark IPSec Rule
access-list 108 deny   ip 192.168.0.0 0.0.0.255 192.168.60.0 0.0.0.255
access-list 108 deny   ip 10.1.1.0 0.0.0.255 192.168.60.0 0.0.0.255
access-list 108 remark IPSec Rule
access-list 108 deny   ip 192.168.0.0 0.0.0.255 192.168.81.0 0.0.0.255
access-list 108 deny   ip 10.1.1.0 0.0.0.255 192.168.81.0 0.0.0.255
access-list 108 remark IPSec Rule
access-list 108 deny   ip 192.168.0.0 0.0.0.255 192.168.53.0 0.0.0.255
access-list 108 deny   ip 10.1.1.0 0.0.0.255 192.168.53.0 0.0.0.255
access-list 108 remark IPSec Rule
access-list 108 deny   ip 192.168.0.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 108 deny   ip 10.1.1.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 108 remark IPSec Rule
access-list 108 deny   ip 192.168.0.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list 108 deny   ip 10.1.1.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list 108 remark IPSec Rule
access-list 108 deny   ip 192.168.0.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 108 deny   ip 10.1.1.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 108 remark IPSec Rule
access-list 108 deny   ip 192.168.0.0 0.0.0.255 192.168.83.0 0.0.0.255
access-list 108 deny   ip 10.1.1.0 0.0.0.255 192.168.83.0 0.0.0.255
access-list 108 remark IPSec Rule
access-list 108 deny   ip 192.168.0.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 108 deny   ip 10.1.1.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 108 remark IPSec Rule
access-list 108 deny   ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 108 deny   ip 10.1.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 108 remark IPSec Rule
access-list 108 deny   ip 192.168.0.0 0.0.0.255 192.168.18.0 0.0.0.255
access-list 108 deny   ip 10.1.1.0 0.0.0.255 192.168.18.0 0.0.0.255
access-list 108 remark IPSec Rule
access-list 108 deny   ip 192.168.0.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 108 deny   ip 10.1.1.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 108 remark IPSec Rule
access-list 108 deny   ip 192.168.0.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 108 deny   ip 10.1.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 108 remark IPSec Rule
access-list 108 deny   ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 108 deny   ip 10.1.1.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 108 permit ip 10.1.1.0 0.0.0.255 any
access-list 108 remark SDM_ACL Category=2
access-list 108 remark IPSec Rule
access-list 108 remark IPSec Rule
access-list 108 remark IPSec Rule
access-list 108 remark IPSec Rule
access-list 108 remark IPSec Rule
access-list 108 remark IPSec Rule
access-list 108 remark IPSec Rule
access-list 108 remark IPSec Rule
access-list 108 remark IPSec Rule
access-list 108 remark IPSec Rule
access-list 108 remark IPSec Rule
access-list 108 remark IPSec Rule
access-list 108 remark IPSec Rule
access-list 108 remark IPSec Rule
access-list 108 remark IPSec Rule
access-list 108 remark IPSec Rule
access-list 108 remark IPSec Rule
access-list 108 remark IPSec Rule
access-list 108 remark IPSec Rule
access-list 108 remark IPSec Rule
access-list 108 remark IPSec Rule
access-list 108 remark IPSec Rule
access-list 108 remark IPSec Rule
access-list 108 remark IPSec Rule
access-list 108 remark IPSec Rule
access-list 108 remark IPSec Rule
access-list 108 remark IPSec Rule
access-list 108 remark IPSec Rule
access-list 109 remark SDM_ACL Category=4
access-list 109 permit ip 10.1.1.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 109 remark IPSec Rule
access-list 109 permit ip 192.168.0.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 109 remark SDM_ACL Category=4
access-list 109 remark IPSec Rule
access-list 110 remark SDM_ACL Category=4
access-list 110 permit ip 10.1.1.0 0.0.0.255 192.168.19.0 0.0.0.255
access-list 110 remark IPSec Rule
access-list 110 permit ip 192.168.0.0 0.0.0.255 192.168.19.0 0.0.0.255
access-list 110 remark SDM_ACL Category=4
access-list 110 remark IPSec Rule
access-list 111 remark SDM_ACL Category=4
access-list 111 permit ip 10.1.1.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 111 remark IPSec Rule
access-list 111 permit ip 192.168.0.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 111 remark SDM_ACL Category=4
access-list 111 remark IPSec Rule
access-list 112 remark SDM_ACL Category=4
access-list 112 permit ip 10.1.1.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 112 remark IPSec Rule
access-list 112 permit ip 192.168.0.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 112 remark SDM_ACL Category=4
access-list 112 remark IPSec Rule
access-list 113 remark SDM_ACL Category=4
access-list 113 permit ip 10.1.1.0 0.0.0.255 192.168.13.0 0.0.0.255
access-list 113 remark IPSec Rule
access-list 113 permit ip 192.168.0.0 0.0.0.255 192.168.13.0 0.0.0.255
access-list 113 remark SDM_ACL Category=4
access-list 113 remark IPSec Rule
access-list 114 remark SDM_ACL Category=4
access-list 114 permit ip 10.1.1.0 0.0.0.255 192.168.56.0 0.0.0.255
access-list 114 remark IPSec Rule
access-list 114 permit ip 192.168.0.0 0.0.0.255 192.168.56.0 0.0.0.255
access-list 114 remark SDM_ACL Category=4
access-list 114 remark IPSec Rule
access-list 115 remark SDM_ACL Category=4
access-list 115 permit ip 10.1.1.0 0.0.0.255 192.168.94.0 0.0.0.255
access-list 115 remark IPSec Rule
access-list 115 permit ip 192.168.0.0 0.0.0.255 192.168.94.0 0.0.0.255
access-list 115 remark SDM_ACL Category=4
access-list 115 remark IPSec Rule
access-list 116 remark SDM_ACL Category=4
access-list 116 permit ip 10.1.1.0 0.0.0.255 192.168.21.0 0.0.0.255
access-list 116 remark IPSec Rule
access-list 116 permit ip 192.168.0.0 0.0.0.255 192.168.21.0 0.0.0.255
access-list 116 remark SDM_ACL Category=4
access-list 116 remark IPSec Rule
access-list 117 remark SDM_ACL Category=4
access-list 117 permit ip 10.1.1.0 0.0.0.255 192.168.60.0 0.0.0.255
access-list 117 remark IPSec Rule
access-list 117 permit ip 192.168.0.0 0.0.0.255 192.168.60.0 0.0.0.255
access-list 117 remark SDM_ACL Category=4
access-list 117 remark IPSec Rule
access-list 118 remark SDM_ACL Category=4
access-list 118 permit ip 10.1.1.0 0.0.0.255 192.168.81.0 0.0.0.255
access-list 118 remark IPSec Rule
access-list 118 permit ip 192.168.0.0 0.0.0.255 192.168.81.0 0.0.0.255
access-list 118 remark SDM_ACL Category=4
access-list 118 remark IPSec Rule
access-list 119 remark SDM_ACL Category=4
access-list 119 permit ip 10.1.1.0 0.0.0.255 192.168.53.0 0.0.0.255
access-list 119 remark IPSec Rule
access-list 119 permit ip 192.168.0.0 0.0.0.255 192.168.53.0 0.0.0.255
access-list 119 remark SDM_ACL Category=4
access-list 119 remark IPSec Rule
access-list 120 remark SDM_ACL Category=4
access-list 120 permit ip 10.1.1.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 120 remark IPSec Rule
access-list 120 permit ip 192.168.0.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 120 remark SDM_ACL Category=4
access-list 120 remark IPSec Rule
access-list 121 remark SDM_ACL Category=4
access-list 121 permit ip 10.1.1.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list 121 remark IPSec Rule
access-list 121 permit ip 192.168.0.0 0.0.0.255 192.168.44.0 0.0.0.255
access-list 122 remark SDM_ACL Category=4
access-list 122 remark IPSec Rule
access-list 122 permit ip 192.168.0.0 0.0.0.255 192.168.254.0 0.0.0.255
access-list 122 remark SDM_ACL Category=4
access-list 122 remark IPSec Rule
access-list 123 remark SDM_ACL Category=4
access-list 123 remark IPSec Rule
access-list 123 permit ip 192.168.0.0 0.0.0.255 192.168.25.0 0.0.0.255
access-list 124 remark SDM_ACL Category=4
access-list 124 remark IPSec Rule
access-list 124 permit ip 192.168.0.0 0.0.0.255 192.168.24.0 0.0.0.255
access-list 125 remark SDM_ACL Category=4
access-list 125 remark IPSec Rule
access-list 125 permit ip 192.168.0.0 0.0.0.255 192.168.26.0 0.0.0.255
access-list 126 remark SDM_ACL Category=4
access-list 126 permit ip 10.1.1.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 126 remark IPSec Rule
access-list 126 permit ip 192.168.0.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 126 remark SDM_ACL Category=4
access-list 126 remark IPSec Rule
access-list 127 remark SDM_ACL Category=4
access-list 127 permit ip 10.1.1.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 127 remark IPSec Rule
access-list 127 permit ip 192.168.0.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 127 remark SDM_ACL Category=4
access-list 127 remark IPSec Rule
access-list 128 remark SDM_ACL Category=4
access-list 128 permit ip 10.1.1.0 0.0.0.255 192.168.15.0 0.0.0.255
access-list 128 remark IPSec Rule
access-list 128 permit ip 192.168.0.0 0.0.0.255 192.168.15.0 0.0.0.255
access-list 129 remark SDM_ACL Category=4
access-list 129 permit ip 10.1.1.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 129 remark IPSec Rule
access-list 129 permit ip 192.168.0.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 129 remark SDM_ACL Category=4
access-list 129 remark IPSec Rule
access-list 130 remark SDM_ACL Category=4
access-list 130 remark IPSec Rule
access-list 130 permit ip 192.168.0.0 0.0.0.255 192.168.200.0 0.0.0.255
access-list 131 remark SDM_ACL Category=4
access-list 131 permit ip 10.1.1.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 131 remark IPSec Rule
access-list 131 permit ip 192.168.0.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 132 remark SDM_ACL Category=4
access-list 132 permit ip 10.1.1.0 0.0.0.255 192.168.18.0 0.0.0.255
access-list 132 remark IPSec Rule
access-list 132 permit ip 192.168.0.0 0.0.0.255 192.168.18.0 0.0.0.255
access-list 132 remark SDM_ACL Category=4
access-list 132 remark IPSec Rule
access-list 133 remark SDM_ACL Category=4
access-list 133 permit ip 10.1.1.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 133 remark IPSec Rule
access-list 133 permit ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 133 remark SDM_ACL Category=4
access-list 133 remark IPSec Rule
access-list 134 remark SDM_ACL Category=4
access-list 134 permit ip 10.1.1.0 0.0.0.255 192.168.42.0 0.0.0.255
access-list 134 permit ip 192.168.0.0 0.0.0.255 192.168.42.0 0.0.0.255
access-list 134 remark SDM_ACL Category=4
access-list 135 remark SDM_ACL Category=4
access-list 135 remark IPSec Rule
access-list 135 permit ip 192.168.0.0 0.0.0.255 192.168.29.0 0.0.0.255
access-list 136 remark SDM_ACL Category=4
access-list 136 remark IPSec Rule
access-list 136 permit ip 192.168.0.0 0.0.0.255 192.168.28.0 0.0.0.255
access-list 137 remark SDM_ACL Category=4
access-list 137 remark IPSec Rule
access-list 137 permit ip 192.168.0.0 0.0.0.255 192.168.27.0 0.0.0.255
access-list 138 remark SDM_ACL Category=4
access-list 138 remark IPSec Rule
access-list 138 permit ip 192.168.0.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list 139 remark SDM_ACL Category=4
access-list 139 remark IPSec Rule
access-list 139 permit ip 192.168.0.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list 140 remark SDM_ACL Category=4
access-list 140 remark IPSec Rule
access-list 140 permit ip 192.168.0.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list 141 remark IPSEC Rule
access-list 141 remark SDM_ACL Category=4
access-list 141 remark IPSecRule
access-list 141 permit ip 192.168.0.0 0.0.0.255 192.168.31.0 0.0.0.255
access-list 141 permit ip 10.1.1.0 0.0.0.255 192.168.31.0 0.0.0.255
access-list 180 remark PVPN
access-list 180 remark SDM_ACL Category=4
access-list 180 remark PVPN
access-list 180 permit ip 192.168.0.0 0.0.0.255 host 88.156.86.26
access-list 198 remark SDM_ACL Category=1
access-list 198 permit ip 10.1.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 198 remark SDM_ACL Category=1
access-list 199 remark SDM_ACL Category=1
access-list 199 permit ip 192.168.0.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 199 remark SDM_ACL Category=1
no cdp run
!
route-map SDM_RMAP_4 permit 1
 match ip address NAT
!
route-map SDM_RMAP_5 permit 1
 match ip address 108
!
route-map SDM_RMAP_1 permit 1
 match ip address NAT_RULE
!
route-map SDM_RMAP_2 permit 1
 match ip address NAT
!
route-map SDM_RMAP_3 permit 1
 match ip address internet
 set ip next-hop 83.16.xx.xx
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner login ^CCPMSA
^C
alias exec c conf t
alias exec r sh run
!
line con 0
line aux 0
line vty 0 4
 access-class 23 in
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 transport input telnet ssh
!
scheduler allocate 20000 1000
ntp clock-period 17179981
ntp update-calendar
ntp server 10.1.1.253 source GigabitEthernet0/1 prefer
ntp server 192.168.0.253 prefer
!
end
Pomagał mi na gg bryblas, i utknęliśmy w tym punkcie.
Nadal nie zestawia się tunel
Na górę
Awatar użytkownika
posiu
wannabe
wannabe
Posty: 234
Rejestracja: 08 kwie 2006, 10:42
Lokalizacja: Warszawa
Kontakt:
Skontaktuj się z posiu

#28

#28 Post autor: posiu »

na routerze centralnym w acl INTERNET na koncu masz

Kod: Zaznacz cały

deny   ip 10.1.1.0 0.0.0.255 192.168.31.0 0.0.0.255
a duzo duzo wczesniej jest :

Kod: Zaznacz cały

permit ip 10.1.1.0 0.0.0.255 any
Czy zestawiła Wam się faza 1?
"...co pan myśli, że jeśli nie podbijam karty w fabryce azbestu, o siódmej, albo drutu, albo nie napierdalam z datownikiem, listy na poczcie do szesnastej to nie jestem w pracy?! Kumasz pan to, czy masz pan za daleko do łba?! Ja tutaj właśnie pracuję!..."
Na górę
Awatar użytkownika
umbro
wannabe
wannabe
Posty: 321
Rejestracja: 07 mar 2009, 21:20

#29

#29 Post autor: umbro »

no te deny to jest chyba nie potrzebne .
Co masz na myśli faza 1?
Na górę
Awatar użytkownika
posiu
wannabe
wannabe
Posty: 234
Rejestracja: 08 kwie 2006, 10:42
Lokalizacja: Warszawa
Kontakt:
Skontaktuj się z posiu

#30

#30 Post autor: posiu »

Kod: Zaznacz cały

show crypto isakmp sa
i nie wycinaj NAT'a z kofniguracji bo nie wiadomo ,której route mapy uzywasz ..
Burdel w tej konfiguracji jest maksymalny..
"...co pan myśli, że jeśli nie podbijam karty w fabryce azbestu, o siódmej, albo drutu, albo nie napierdalam z datownikiem, listy na poczcie do szesnastej to nie jestem w pracy?! Kumasz pan to, czy masz pan za daleko do łba?! Ja tutaj właśnie pracuję!..."
Na górę
ODPOWIEDZ

Wróć do „Security”