NAT
!
interface FastEthernet0/0
ip nat inside
!
interface FastEthernet1/0
ip nat outside
!
access-list 100 permit ip host 61.128.1.1 any
ip nat inside source list 100 interface FastEthernet1/0 overload
!
IPSe -HA
Branch
- access-list 100 permit ip host 1.1.1.1 host 2.2.2.2
- crypto isakmp policy 10
- encr 3des
- authentication pre-share
- group 2
- lifetime 28800
- crypto isakmp key cisco address 192.168.1.1
- crypto isakmp key cisco address 172.16.1.1
- crypto isakmp keepalive 10 periodic
- !
- crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
- mode tunnel
- !
- crypto map maptest 1 ipsec-isakmp
- set peer 172.16.1.1 default
- set peer 192.168.1.1
- set security-association idle-time 180
- set transform-set ESP-3DES-SHA
- set pfs group2
- match address 100
- !
- interface FastEthernet0/0
- crypto map maptest
Active
- crypto isakmp policy 10
- encr 3des
- authentication pre-share
- group 2
- lifetime 28800
- crypto isakmp key cisco address 202.100.1.254
- crypto isakmp keepalive 10 periodic
- !
- crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
- mode tunnel
- !
- crypto map maptest 1 ipsec-isakmp
- set peer 202.100.1.254
- set transform-set ESP-3DES-SHA
- set pfs group2
- set reverse-route tag 10
- match address 100
- reverse-route
- !
- interface FastEthernet0/0
- crypto map maptest
- !
- router ospf 10
- router-id 10.1.1.1
- redistribute static subnets route-map s2o
- network 10.1.1.0 0.0.0.255 area 0
- !
- access-list 100 permit ip host 2.2.2.2 host 1.1.1.1
- !
- route-map s2o permit 10
- match tag 10
- !
Standby
- access-list ipsec extended permit udp any any eq isakmp
- access-list ipsec extended permit esp any any
- access-list outside_cryptomap extended permit ip host 2.2.2.2 host 1.1.1.1
- access-list rri standard permit host 1.1.1.1
- access-group ipsec in interface outside
- route-map s2o permit 10
- match ip address rri
- router ospf 10
- router-id 10.1.1.2
- network 10.1.1.0 255.255.255.0 area 0
- log-adj-changes
- redistribute static subnets route-map s2o
- crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
- crypto map outside_map 1 match address outside_cryptomap
- crypto map outside_map 1 set pfs
- crypto map outside_map 1 set connection-type answer-only
- crypto map outside_map 1 set peer 202.100.1.254
- crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
- crypto map outside_map 1 set reverse-route
- crypto map outside_map interface outside
- crypto ikev1 enable outside
- crypto ikev1 policy 10
- authentication pre-share
- encryption 3des
- hash sha
- group 2
- lifetime 28800
- tunnel-group 202.100.1.254 type ipsec-l2l
- tunnel-group 202.100.1.254 ipsec-attributes
- ikev1 pre-shared-key cisco
- isakmp keepalive threshold 30 retry 2