!
username /username/ secret ******
!
aaa new-model
!
aaa authentication login userauthen group local
aaa authorization network groupauthor local
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
!
crypto isakmp client configuration address-pool local cisco_client_pool
!
crypto isakmp client configuration group /groupname/
key ******
dns 1.1.1.1
domain kb.local
pool cisco_client_pool
acl 150
!
crypto dynamic-map dynmap 10
set transform-set KBSET
reverse-route
!
crypto ipsec security-association lifetime seconds 10980
!
crypto ipsec transform-set KBSET esp-aes 256 esp-sha-hmac
crypto ipsec df-bit clear
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
ip local pool cisco_client_pool 192.168.2.10 192.168.2.20
!
access-list 150 remark ------- Split Tunnel Cisco VPN Client -------
access-list 150 permit ip 192.168.1.0 0.0.0.255 any
access-list 150 remark ------- Split Tunnel Cisco VPN Client -------
!
interface FastEthernet0/0.10
encapsulation dot1Q 10
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
Interface Dialer 1
ip access-group Input-Traf1 in
ip nat outside
crypto map clientmap
...
!
ip access-list extended NAT
deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
!
ip nat inside source list NAT interface Dialer1 overload
!
ip access-list extended Input-Traf1
remark -------- TRAF LIST ---------
permit esp any any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit tcp any any eq 2222 log
permit icmp any any unreachable
permit icmp any any echo-reply
permit icmp any any packet-too-big
permit icmp any any time-exceeded
permit icmp any any traceroute
permit icmp any any echo
deny ip any any
remark -------- TRAF LIST ---------
!
|