!
! Define the Private Subnet1
!
interface vlan 1
description Branch Subnet1
ip address 10.0.10.1 255.255.255.0
icc-vlan
pmi
exit
!
! Define the Private Subnet2
!
interface vlan 2
description Branch Subnet2
ip address 10.0.20.1 255.255.255.0
exit
!
! Define the Public Subnet
!
interface fastethernet 10/3
ip address 100.0.0.2 255.255.255.0
exit
!
! Define the default gateway to be on the public subnet
!
ip default-gateway 100.0.0.1
!
! Define the DNS name server
! that is accessible without VPN.
!
ip domain name-server-list 1
name-server 1 123.124.125.126
exit
!
! Define the IKE Entity
!
crypto isakmp policy 1
encryption aes
hash sha
group 2
authentication pre-share
exit
!
! Define the remote peer as FQDN (DNS Name)
!
crypto isakmp peer fqdn main-vpn.avaya.com
pre-shared-key <key1>
isakmp-policy 1
exit
!
! Define the IPSEC Entity
!
crypto ipsec transform-set ts1 esp-3des esp-sha-hmac
exit
!
! Define the VPN Tunnel
!
crypto map 1
set peer main-vpn.avaya.com
set transform-set ts1
exit
!
! Define the crypto list for the public interface
!
ip crypto-list 901
local-address Fast Ethernet 10/3.0
!
! ip-rule 5 allows un-encrypted traffic for DNS
!
ip-rule 5
source-ip any
destination-ip 123.124.125.126
no protect
exit
ip-rule 10
source-ip 10.0.10.0 0.0.0.255
destination-ip any
protect crypto map 1
exit
ip-rule 20
source-ip 10.0.20.0 0.0.0.255
destination-ip any
protect crypto map 1
exit
exit
!
! Define the Ingress access control list for the public interface
!
ip access-control-list 301
ip-rule 5
source-ip any
destination-ip any
ip-protocol udp
udp destination-port eq Dns
composite-operation Permit
exit
ip-rule 10
source-ip any
destination-ip any
ip-protocol udp
udp destination-port eq Ike
composite-operation Permit
exit
ip-rule 11
source-ip any
destination-ip any
ip-protocol udp
udp destination-port eq Ike-nat-t
composite-operation permit
exit
ip-rule 12
source-ip any
destination-ip any
ip-protocol udp
udp destination-port eq Ike-nat-t-vsu
composite-operation permit
exit
ip-rule 20
source-ip any
destination-ip any
ip-protocol esp
composite-operation Permit
exit
ip-rule 30
source-ip any
destination-ip any
ip-protocol icmp
composite-operation Permit
exit
ip-rule 40
source-ip any
destination-ip 10.0.10.0 0.0.0.255
composite-operation Permit
exit
ip-rule 50
source-ip any
destination-ip 10.0.20.0 0.0.0.255
composite-operation Permit
exit
ip-rule default
composite-operation deny
exit
exit
!
! Define the Egress access control list for the public interface
!
ip access-control-list 302
ip-rule 5
source-ip any
destination-ip any
ip-protocol udp
udp destination-port eq dns
composite-operation Permit
exit
ip-rule 10
source-ip any
destination-ip any
ip-protocol udp
udp destination-port eq Ike
composite-operation Permit
exit
ip-rule 11
source-ip any
destination-ip any
ip-protocol udp
udp destination-port eq Ike-nat-t
composite-operation permit
exit
ip-rule 12
source-ip any
destination-ip any
ip-protocol udp
udp destination-port eq Ike-nat-t-vsu
composite-operation permit
exit
ip-rule 20
source-ip any
destination-ip any
ip-protocol esp
composite-operation Permit
exit
ip-rule 30
source-ip any
destination-ip any
ip-protocol icmp
composite-operation Permit
exit
ip-rule 40
source-ip 10.0.10.0 0.0.0.255
destination-ip any
composite-operation Permit
exit
ip-rule 50
source-ip 10.0.20.0 0.0.0.255
destination-ip any
composite-operation Permit
exit
ip-rule default
composite-operation deny
exit
exit
!
! Activate the crypto list and the access control list on the public
interface
!
interface fastethernet 10/3
ip crypto-group 901
ip access-group 301 in
ip access-group 302 out
exit
