ike {
proposal ike-prop {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm md5;
encryption-algorithm 3des-cbc;
}
policy L2L {
mode main;
proposals ike-prop;
pre-shared-key ascii-text freeit123
}
gateway GW {
ike-policy L2L;
address 202.100.1.1;
external-interface ge-0/0/1.0;
}
}
ipsec {
proposal ipsec-prop {
protocol esp;
authentication-algorithm hmac-md5-96;
encryption-algorithm 3des-cbc;
}
policy L2L-IPSEC {
proposals ipsec-prop;
}
*** MAP {
ike {
gateway GW;
ipsec-policy L2L-IPSEC;
}
establish-tunnels on-traffic;
}
}
address-book {
dmz {
address DMZ 172.16.2.22/32;
attach {
zone dmz;
}
}
untrust {
address cisco 10.1.1.0/24;
attach {
zone untrust;
}
}
policies {
from-zone trust to-zone trust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy default-deny {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
}
}
}
from-zone trust to-zone untrust {
policy trust-untrust-policy {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone dmz {
policy untrust-dmz-policy {
match {
source-address cisco;
destination-address DMZ;
application any;
}
then {
permit {
tunnel {
ipsec-*** MAP;
pair-policy dmz-untrust-policy;
}
}
}
}
policy default-deny {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
}
}
}
from-zone dmz to-zone untrust {
policy dmz-untrust-policy {
match {
source-address DMZ;
destination-address cisco;
application any;
}
then {
permit {
tunnel {
ipsec-*** MAP;
pair-policy untrust-dmz-policy;
}
}
}
}
policy default-deny {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
}
}
}
}
zones {
security-zone trust {
tcp-rst;
host-inbound-traffic {
system-services {
ssh;
ping;
https;
}
}
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
http;
https;
ssh;
telnet;
dhcp;
}
}
}
}
}
security-zone untrust {
screen untrust-screen;
host-inbound-traffic {
system-services {
ssh;
https;
ping;
ike;
}
}
interfaces {
ge-0/0/1.0;
}
}
security-zone dmz {
interfaces {
ge-0/0/2.0 {
host-inbound-traffic {
system-services {
ping;
ssh;
}
}
}
}
}
}
----------------------------------------
crypto keyring L2L-keyring
pre-shared-key address 192.168.114.190 key freeit123
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp profile L2L
keyring L2L-keyring
match identity address 192.168.114.190 255.255.255.255
!
!
crypto ipsec transform-set L2L-IPSEC esp-3des esp-md5-hmac
!
crypto map MAP 10 ipsec-isakmp
set peer 192.168.114.190
set transform-set L2L-IPSEC
set isakmp-profile L2L
match address 100
!
!
!
!
interface Loopback1
ip address 10.1.1.1 255.255.255.0
!
interface FastEthernet0/0
ip address 202.100.1.1 255.255.255.0
duplex auto
speed auto
crypto map MAP
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 202.100.1.2
!
!
no ip http server
no ip http secure-server
!
access-list 100 permit ip 10.1.1.0 0.0.0.255 host 172.16.2.22
---------------------------------------------------