Hi All,
I am doing YB lab 1, Q 3.2 IPsec L2L tunnel. I am getting an issue and not
able to solve it.
I have configured R5 router and ASA2 for L2L ipsec. VPN tunnel is getting
established when traffic is initiated from R5 side. But it does not come up
when traffic is initiated from ASA2 side (i.e. from SW2)
I am getting following error on R5 router:
073: ISAKMP:(1024):Checking IPSec proposal 1
Sep 26 02:20:47.073: ISAKMP: transform 1, ESP_3DES
Sep 26 02:20:47.073: ISAKMP: attributes in transform:
Sep 26 02:20:47.073: ISAKMP: SA life type in seconds
Sep 26 02:20:47.073: ISAKMP: SA life duration (basic) of 3600
Sep 26 02:20:47.073: ISAKMP: SA life type in kilobytes
Sep 26 02:20:47.073: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50
0x0
Sep 26 02:20:47.073: ISAKMP: encaps is 1 (Tunnel)
Sep 26 02:20:47.073: ISAKMP: authenticator is HMAC-MD5
Sep 26 02:20:47.073: ISAKMP:(1024):atts are acceptable.
Sep 26 02:20:47.073: ISAKMP:(1024): IPSec policy invalidated proposal with
error
32
Sep 26 02:20:47.073: ISAKMP:(1024): phase 2 SA policy not acceptable! (local
192
.168.55.55 remote 192.168.9.10)
Sep 26 02:20:47.073: ISAKMP: set new node -795672340 to QM_IDLE
Sep 26 02:20:47.073: ISAKMP:(1024):Sending NOTIFY PROPOSAL_NOT_CHOSEN
protocol 3
spi 1711436688, message ID = -795672340
Sep 26 02:20:47.073: ISAKMP:(1024): sending packet to 192.168.9.10 my_port
500 p
eer_port 500 (R) QM_IDLE
Sep 26 02:20:47.073: ISAKMP:(1024):Sending an IKE IPv4 Packet.
Sep 26 02:20:47.073: ISAKMP:(1024):purging node -795672340
Sep 26 02:20:47.077: ISAKMP:(1024):deleting node 326691547 error TRUE reason
"QM
rejected"
Sep 26 02:20:47.077: ISAKMP:(1024):Node 326691547, Input =
IKE_MESG_FROM_PEER, I
KE_QM_EXCH
Sep 26 02:20:47.077: ISAKMP:(1024):Old State = IKE_QM_READY New State =
IKE_QM_
READY
Sep 26 02:20:54.761: ISAKMP:(1023):purging SA., sa=65697D00, delme=65697D00
It shows that phase 1 is completed and started phase 2 (QM). But proposal is
not accepted.
I am attaching configs and debug output for your reference.
Kindly help me to solve this issue.
Regards,
DMG
ASA2# sh run
: Saved
:
ASA Version 8.2(2)
!
hostname ASA2
enable password iNwOcVssa8t7ft5M encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
description connection to SW2-Gi1/0/12
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1
description connection to SW1-Gi1/0/14
nameif inside
security-level 100
ip address 192.168.10.10 255.255.255.0
authentication key eigrp 10 ***** key-id 1
authentication mode eigrp 10 md5
!
interface GigabitEthernet0/2
description connection to SW2-Gi1/0/13
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
description connection to SW1-Gi1/0/13
no nameif
no security-level
no ip address
!
interface Redundant1
member-interface GigabitEthernet0/0
member-interface GigabitEthernet0/2
nameif outside
security-level 0
ip address 192.168.9.10 255.255.255.0
ospf message-digest-key 1 md5 *****
ospf authentication message-digest
!
ftp mode passive
clock timezone IST 5 30
access-list Outside-In extended permit icmp any any
access-list 100 extended permit ip host 10.8.8.8 host 10.5.5.5
pager lines 24
logging console debugging
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
static (outside,inside) 192.168.10.6 10.6.6.6 netmask 255.255.255.255
access-group Outside-In in interface outside
!
router ospf 1
network 192.168.9.0 255.255.255.0 area 0
log-adj-changes
redistribute eigrp 10 metric 1 subnets
!
router eigrp 10
no auto-summary
network 192.168.10.0 255.255.255.0
redistribute ospf 1 metric 1 1 1 1 1
!
route outside 0.0.0.0 0.0.0.0 192.168.9.4 1 track 1
route outside 0.0.0.0 0.0.0.0 192.168.9.3 10
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 2
type echo protocol ipIcmpEcho 10.4.4.4 interface outside
num-packets 3
frequency 5
sla monitor schedule 2 life forever start-time now
crypto ipsec transform-set TS esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 4608000
crypto map VPN 1 match address 100
crypto map VPN 1 set peer 192.168.55.55
crypto map VPN 1 set transform-set TS
crypto map VPN 1 set trustpoint myCA
crypto map VPN interface outside
crypto ca trustpoint myCA
enrollment url http://10.1.1.1:80
crl configure
crypto ca certificate chain myCA
certificate 03
30820207 30820170 a0030201 02020103 300d0609 2a864886 f70d0101 04050030
19311730 15060355 0403130e 6d794341 2e636973 636f2e63 6f6d301e 170d3131
30393235 32323032 34305a17 0d313230 39323432 30333535 305a3015 31133011
06092a86 4886f70d 01090216 04415341 3230819f 300d0609 2a864886 f70d0101
01050003 818d0030 81890281 8100c141 4932a059 ecca5cc4 aca1ba0a 430b5a84
d9d496d1 16a28a01 3da4e802 d95f8a28 979e3417 07d1b59d da094367 727fbcc4
4fc5ef98 4f2ed11b ea77e2f4 62c50436 7c1348c2 db8a1556 9cbe899f 4a68fc2f
c467d825 25b9afd8 6a934e5e f04d78dd 9415127f dda20b0c 1d0ef031 a1fe45c6
b85d8d45 3aba2cc1 51b40c72 9aff0203 010001a3 63306130 0f060355 1d110408
30068204 41534132 300e0603 551d0f01 01ff0404 030205a0 301f0603 551d2304
18301680 14474eac 8071cd70 b6a7e1a0 fac922b8 4b4b0b71 7d301d06 03551d0e
04160414 f8b061af b4cba8b6 4ed99a26 10d8be77 920358b3 300d0609 2a864886
f70d0101 04050003 818100a0 adc850ad ce044fed 1cdf7977 52250553 592d1e2b
1b6553a5 c5381f54 e705be71 aae1788c 2cc5871b e2f1f497 f5f943b4 75e0e293
41e5cbf9 ec2545a1 d822a6d1 22030a21 ea0a5954 5b7a1e81 49b44210 20aa2266
1466e863 2029733e da8af64e ff6c6f9c 8b80922a abd23239 0408fca5 b4b068fa
8f38b148 1bee08ce 5e6658
quit
certificate ca 01
3082020b 30820174 a0030201 02020101 300d0609 2a864886 f70d0101 04050030
19311730 15060355 0403130e 6d794341 2e636973 636f2e63 6f6d301e 170d3131
30393235 32303335 35305a17 0d313230 39323432 30333535 305a3019 31173015
06035504 03130e6d 7943412e 63697363 6f2e636f 6d30819f 300d0609 2a864886
f70d0101 01050003 818d0030 81890281 8100b7ec e673296b a744e89f 9df4dd2b
f2e6df18 e0261952 da82b1bd 3012a174 b14201ca 191d419f 08107478 a76ee6b4
f99cc4a3 9172f5be 2944ce18 1ec69280 521aaa5c 5cc5096a a5f967db eaddb386
bc2cced8 ae23f983 a1d281a5 6dc8f785 89056ca2 0fa00195 8285c176 4c364259
1ffb5cce 75b7348b c213878f 383c3770 3e370203 010001a3 63306130 0f060355
1d130101 ff040530 030101ff 300e0603 551d0f01 01ff0404 03020186 301f0603
551d2304 18301680 14474eac 8071cd70 b6a7e1a0 fac922b8 4b4b0b71 7d301d06
03551d0e 04160414 474eac80 71cd70b6 a7e1a0fa c922b84b 4b0b717d 300d0609
2a864886 f70d0101 04050003 8181009e 25a1f814 0cabf38c c900223f ceddd5a8
00bfb843 ccbe9dbd cf3c7529 b06a3144 a7f294b2 efbf8934 7530ebef 014be987
2bc98d6e 67774064 7b022883 c9a25869 cba3d4c6 8b9295a4 6d8b63d8 a2070436
70fcfbfb 4080550b 445ab5b4 f9e7e0da 152d393b 7e21930b 82726165 92f04078
f09e2ca7 8f66eaf3 0f4c78ac 940ab5
quit
crypto isakmp enable outside
crypto isakmp policy 10
authentication rsa-sig
encryption 3des
hash md5
group 2
lifetime 86400
!
track 1 rtr 2 reachability
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp authentication-key 1 md5 *****
ntp authenticate
ntp trusted-key 1
ntp server 10.1.1.1
tunnel-group 192.168.55.55 type ipsec-l2l
tunnel-group 192.168.55.55 ipsec-attributes
trust-point myCA
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DD
CEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:dd782afba614622767a5adcd4bdbd5df
: endR5
---
Sep 26 02:20:47.
073: ISAKMP:(1024):Checking IPSec proposal 1
Sep 26 02:20:47.073: ISAKMP: transform 1, ESP_3DES
Sep 26 02:20:47.073: ISAKMP: attributes in transform:
Sep 26 02:20:47.073: ISAKMP: SA life type in seconds
Sep 26 02:20:47.073: ISAKMP: SA life duration (basic) of 3600
Sep 26 02:20:47.073: ISAKMP: SA life type in kilobytes
Sep 26 02:20:47.073: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
Sep 26 02:20:47.073: ISAKMP: encaps is 1 (Tunnel)
Sep 26 02:20:47.073: ISAKMP: authenticator is HMAC-MD5
Sep 26 02:20:47.073: ISAKMP:(1024):atts are acceptable.
Sep 26 02:20:47.073: ISAKMP:(1024): IPSec policy invalidated proposal with error
32
Sep 26 02:20:47.073: ISAKMP:(1024): phase 2 SA policy not acceptable! (local 192
.168.55.55 remote 192.168.9.10)
Sep 26 02:20:47.073: ISAKMP: set new node -795672340 to QM_IDLE
Sep 26 02:20:47.073: ISAKMP:(1024):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 1711436688, message ID = -795672340
Sep 26 02:20:47.073: ISAKMP:(1024): sending packet to 192.168.9.10 my_port 500 p
eer_port 500 (R) QM_IDLE
Sep 26 02:20:47.073: ISAKMP:(1024):Sending an IKE IPv4 Packet.
Sep 26 02:20:47.073: ISAKMP:(1024):purging node -795672340
Sep 26 02:20:47.077: ISAKMP:(1024):deleting node 326691547 error TRUE reason "QM
rejected"
Sep 26 02:20:47.077: ISAKMP:(1024):Node 326691547, Input = IKE_MESG_FROM_PEER, I
KE_QM_EXCH
Sep 26 02:20:47.077: ISAKMP:(1024):Old State = IKE_QM_READY New State = IKE_QM_
READY
Sep 26 02:20:54.761: ISAKMP:(1023):purging SA., sa=65697D00, delme=65697D00
------------------------------------
ASA2
%ASA-5-713119: Group = 192.168.55.55, IP = 192.168.55.55, PHASE 1 COMPLETED
%ASA-7-713121: IP = 192.168.55.55, Keep-alive type for this connection: DPD
%ASA-7-715080: Group = 192.168.55.55, IP = 192.168.55.55, Starting P1 rekey time
r: 82080 seconds.
%ASA-7-715006: Group = 192.168.55.55, IP = 192.168.55.55, IKE got SPI from key e
ngine: SPI = 0xed856b3f
%ASA-7-713906: Group = 192.168.55.55, IP = 192.168.55.55, oakley constucting qui
ck mode
%ASA-7-715046: Group = 192.168.55.55, IP = 192.168.55.55, constructing blank has
h payload
%ASA-7-715046: Group = 192.168.55.55, IP = 192.168.55.55, constructing IPSec SA
payload
%ASA-7-715046: Group = 192.168.55.55, IP = 192.168.55.55, constructing IPSec non
ce payload
%ASA-7-715001: Group = 192.168.55.55, IP = 192.168.55.55, constructing proxy ID
%ASA-7-713906: Group = 192.168.55.55, IP = 192.168.55.55, Transmitting Proxy Id:
Local host: 10.8.8.8 Protocol 0 Port 0
Remote host: 10.5.5.5 Protocol 0 Port 0
%ASA-7-714007: Group = 192.168.55.55, IP = 192.168.55.55, IKE Initiator sending
Initial Contact
%ASA-7-715046: Group = 192.168.55.55, IP = 192.168.55.55, constructing qm hash p
ayload
%ASA-7-714004: Group = 192.168.55.55, IP = 192.168.55.55, IKE Initiator sending
1st QM pkt: msg id = 1378eadb
%ASA-7-713236: IP = 192.168.55.55, IKE_DECODE SENDING Message (msgid=1378eadb) w
ith payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (
1: IP = 192.168.55.55, constructing Cisco Unity VID payload
1) + NONE (0) total length : 184
%ASA-7-713236: IP = 192.168.55.55, IKE_DECODE RECEIVED Message (msgid=d09300ec)
with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 76
%ASA-7-715047: Group = 192.168.55.55, IP = 192.168.55.55, processing hash payloa
d
%ASA-7-715047: Group = 192.168.55.55, IP = 192.168.55.55, processing notify payl
oad
%ASA-5-713068: Group = 192.168.55.55, IP = 192.168.55.55, Received non-routine N
otify message: No proposal chosen (14)
%ASA-7-609001: Built local-host inside:10.8.8.8
%ASA-7-609001: Built local-host outside:10.5.5.5
%ASA-7-609002: Teardown local-host inside:10.8.8.8 duration 0:00:00
%ASA-7-609002: Teardown local-host outside:10.5.5.5 duration 0:00:00R5#sh run
Building configuration...
Current configuration : 7380 bytes
!
! Last configuration change at 08:04:28 IST Mon Sep 26 2011
! NVRAM config last updated at 03:30:12 IST Mon Sep 26 2011
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R5
!
boot-start-marker
boot-end-marker
!
no logging on
enable secret 5 $1$t37w$8lOjMTATpwAzhMKWiGtZ20
!
no aaa new-model
memory-size iomem 5
clock timezone IST 5 30
dot11 syslog
ip source-route
!
!
!
!
ip cef
no ip domain lookup
ip domain name cisco.com
no ipv6 cef
!
multilink bundle-name authenticated
frame-relay switching
!
parameter-map type regex emailid
pattern [email protected]
!
crypto pki trustpoint myCA
enrollment url http://10.1.1.1:80
revocation-check none
!
!
!
crypto pki certificate map CERT-MAP 1
issuer-name co myca
subject-name co asa2
!
crypto pki certificate chain myCA
certificate 02
308201FB 30820164 A0030201 02020102 300D0609 2A864886 F70D0101 04050030
19311730 15060355 0403130E 6D794341 2E636973 636F2E63 6F6D301E 170D3131
30393235 32313539 30335A17 0D313230 39323432 30333535 305A301D 311B3019
06092A86 4886F70D 01090216 0C52352E 63697363 6F2E636F 6D30819F 300D0609
2A864886 F70D0101 01050003 818D0030 81890281 8100C414 B6E5F7C9 1DC8E8F7
7C6E4959 C410766D BA4CEC77 2D82E338 389B00D6 FD9B00CB 55B1131B 02605C93
E23EE277 26FA5582 A1A70E67 AEE79AF1 288AC46F 293CD4E2 01CFF45A FE9C8B0F
AA3F3A0D 2EA5AA2E 0F7DC429 6DA6AEDF 2E2DCCAB 91AD8AF1 9FC94AEF 309151B0
496C5AC9 F326FB39 1C211D9D 2DE01FA1 A7DBDFAF D8F70203 010001A3 4F304D30
0B060355 1D0F0404 030205A0 301F0603 551D2304 18301680 14474EAC 8071CD70
B6A7E1A0 FAC922B8 4B4B0B71 7D301D06 03551D0E 04160414 C62EFD1B B75044DA
67BB2951 5BEF206E B2AC459C 300D0609 2A864886 F70D0101 04050003 818100A6
D3627A54 175D614E 91237E2C 4A8C8202 31BB3787 BCDC26B5 5A2FF0F6 006378D8
6D36A433 FA90CFE8 FAB2F59A 914A3D31 FE8C9235 0CC414BB E4B9D7C2 496137E1
E435F5B5 DC6E3E3D 942D05DC 4150D485 D2871532 B57D8504 2000157C B1117FAF
20CA5D23 1959B28B 5E6A70E3 7B4D482F 8AF61D43 4969DE7E 9C3AC244 194586
quit
certificate ca 01
3082020B 30820174 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
19311730 15060355 0403130E 6D794341 2E636973 636F2E63 6F6D301E 170D3131
30393235 32303335 35305A17 0D313230 39323432 30333535 305A3019 31173015
06035504 03130E6D 7943412E 63697363 6F2E636F 6D30819F 300D0609 2A864886
F70D0101 01050003 818D0030 81890281 8100B7EC E673296B A744E89F 9DF4DD2B
F2E6DF18 E0261952 DA82B1BD 3012A174 B14201CA 191D419F 08107478 A76EE6B4
F99CC4A3 9172F5BE 2944CE18 1EC69280 521AAA5C 5CC5096A A5F967DB EADDB386
BC2CCED8 AE23F983 A1D281A5 6DC8F785 89056CA2 0FA00195 8285C176 4C364259
1FFB5CCE 75B7348B C213878F 383C3770 3E370203 010001A3 63306130 0F060355
1D130101 FF040530 030101FF 300E0603 551D0F01 01FF0404 03020186 301F0603
551D2304 18301680 14474EAC 8071CD70 B6A7E1A0 FAC922B8 4B4B0B71 7D301D06
03551D0E 04160414 474EAC80 71CD70B6 A7E1A0FA C922B84B 4B0B717D 300D0609
2A864886 F70D0101 04050003 8181009E 25A1F814 0CABF38C C900223F CEDDD5A8
00BFB843 CCBE9DBD CF3C7529 B06A3144 A7F294B2 EFBF8934 7530EBEF 014BE987
2BC98D6E 67774064 7B022883 C9A25869 CBA3D4C6 8B9295A4 6D8B63D8 A2070436
70FCFBFB 4080550B 445AB5B4 F9E7E0DA 152D393B 7E21930B 82726165 92F04078
F09E2CA7 8F66EAF3 0F4C78AC 940AB5
quit
!
!
archive
log config
hidekeys
!
!
crypto isakmp policy 10
encr 3des
hash md5
group 2
crypto isakmp identity dn
crypto isakmp profile TEST
ca trust-point myCA
match certificate CERT-MAP
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto map VPN local-address Loopback1
crypto map VPN 10 ipsec-isakmp
set peer 192.168.9.10
set transform-set TS
set isakmp-profile TEST
match address 100
!
!
!
ip tcp synwait-time 5
!
class-map type inspect match-any CM-TEL-SSH
match protocol telnet
match protocol ssh
class-map type inspect match-all CM-C-R
match access-group 101
class-map type inspect match-all CM-ICMP-R-C
match protocol icmp
class-map type inspect match-all CM-SMTP-R-C
match protocol smtp
class-map type inspect match-all CM-HTTP-R-C
match protocol http
class-map type inspect http match-any CM-HTTP-7-R-C
match request port-misuse tunneling
class-map type inspect smtp match-all CM-SMTP-7-R-C
match sender address regex emailid
match data-length gt 10000000
!
!
policy-map type inspect PM-C-R
class type inspect CM-C-R
inspect
class class-default
drop
policy-map type inspect smtp PM-SMTP-7-R-C
class type inspect smtp CM-SMTP-7-R-C
reset
policy-map type inspect http PM-HTTP-7-R-C
class type inspect http CM-HTTP-7-R-C
reset
policy-map type inspect PM-R-C
class type inspect CM-TEL-SSH
inspect
class type inspect CM-SMTP-R-C
inspect
service-policy smtp PM-SMTP-7-R-C
class type inspect CM-HTTP-R-C
inspect
service-policy http PM-HTTP-7-R-C
class type inspect CM-ICMP-R-C
inspect
police rate 20000 burst 2000
class class-default
drop
!
zone security CENTRAL
zone security REMOTE
zone-pair security central_remote source CENTRAL destination REMOTE
service-policy type inspect PM-C-R
zone-pair security remote_central source REMOTE destination CENTRAL
service-policy type inspect PM-R-C
!
!
!
interface Loopback0
ip address 10.5.5.5 255.255.255.0
!
interface Loopback1
ip address 192.168.55.55 255.255.255.0
!
interface Loopback5
ip address 10.55.55.55 255.255.255.255
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/0
description connection to SW1-Giga1/0/5
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1
description connection to SW2-Giga1/0/5
ip address 192.168.11.10 255.255.255.0
duplex auto
speed auto
ntp broadcast
!
interface Serial0/0/0
description connection to BB1-S1/4
ip address 192.168.65.5 255.255.255.0
zone-member security CENTRAL
encapsulation frame-relay
ip ospf network point-to-point
frame-relay map ip 192.168.65.6 565 broadcast
no frame-relay inverse-arp
crypto map VPN
!
interface Serial0/0/1
ip address 192.168.35.5 255.255.255.0
ip nat outside
ip virtual-reassembly
zone-member security REMOTE
encapsulation ppp
ip ospf network point-to-point
no fair-queue
clock rate 2000000
crypto map VPN
!
router ospf 1
log-adjacency-changes
network 10.5.5.0 0.0.0.255 area 0
network 10.55.55.0 0.0.0.255 area 0
network 192.168.35.0 0.0.0.255 area 0
network 192.168.55.55 0.0.0.0 area 0
network 192.168.65.0 0.0.0.255 area 0
!
ip forward-protocol nd
ip http server
no ip http secure-server
!
!
ip nat inside source route-map s0 interface Serial0/0/0 overload
ip nat inside source route-map s1 interface Serial0/0/1 overload
!
access-list 100 permit ip host 10.5.5.5 host 10.8.8.8
access-list 101 permit ip any any
access-list 102 permit ip any host 10.55.55.55
!
!
!
!
route-map s1 permit 10
match ip address 102
match interface Serial0/0/1
!
route-map s0 permit 10
match ip address 102
match interface Serial0/0/0
!
!
!
control-plane
!
!
!
line con 0
exec-timeout 0 0
password cisco
logging synchronous
login
line aux 0
exec-timeout 0 0
password cisco
logging synchronous
login
transport input telnet
line vty 0 4
exec-timeout 0 0
password cisco
logging synchronous
login
transport input telnet
!
scheduler allocate 20000 1000
ntp authentication-key 1 md5 121A0C041104 7
ntp authenticate
ntp trusted-key 1
ntp source Loopback0
ntp server 10.1.1.1
end
R5#
----------------------------------------------------------_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
