The Cisco Template thread

k1pp3r · Apr 26, 2010

I thought it would help indivduals here (Both experienced and newcomers to Cisco gear) to have a thread with basic or advanced templates in it. Templates help reduce the config time of routers and firewalls for me at lease.

Please label your template with the device it was written for and what its purpose is.

Please do not post short commands unless you don't remember the full command

PLEASE REMOVE ANY IP'S OR PROPRIETARY INFORMATION FROM TEMPLATES

here are a few to starte

>Cisco ASA 55xx series firewalls

>VPN client connection (Non-SSL based)

Code:

access-list remotevpn_splitTunnelAcl standard permit {Internal subnet} {Internal Subnet mask}
access-list inside_nat0_outbound extended permit ip {Internal subnet} {Internal Subnet mask} {VPN subnet} VPN Subnet mask} 
ip local pool vpnpool {VPN Dhcp Pool} mask 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
aaa-server windowsias protocol radius
aaa-server windowsias host }Radius Server}
key {Radius key}
radius-common-pw {password}
group-policy remotevpn internal
group-policy remotevpn attributes
dns-server value {DNS Server}
vpn-tunnel-protocol IPSec 
split-tunnel-policy tunnelspecified
split-tunnel-network-list value remotevpn_splitTunnelAcl
default-domain value {Domain}
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map outside_dyn_map 20 set pfs 
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group remotevpn type ipsec-ra
tunnel-group remotevpn general-attributes
address-pool vpnpool
authentication-server-group windowsias
default-group-policy remotevpn
tunnel-group remotevpn ipsec-attributes
pre-shared-key {Key}

>Blocking websites using regular expressions

Code:

regex domainlist1 "\.youtube\.com"
regex domainlist2 "\.myspace\.com"
regex domainlist3 "\.facebook\.com"
regex domainlist4 "\.streamaudio\.com"
regex domainlist5 "\.windowsmedia\.com"
regex domainlist6 "\.itunes\.com"
regex domainlist7 "\.monster\.com"
regex domainlist8 "\.hotels\.com"


access-list inside_mpc extended permit tcp any any eq www

class-map type regex match-any DomainBlockList
 match regex domainlist1
 match regex domainlist2
 match regex domainlist3
 match regex domainlist4
 match regex domainlist5
 match regex domainlist6
 match regex domainlist7
 match regex domainlist8

class-map type inspect http match-all BlockDomainsClass
 match request header host regex class DomainBlockList

class-map httptraffic
 match access-list inside_mpc

policy-map type inspect http http_inspection_policy
 parameters
  protocol-violation action drop-connection
 class AppHeaderClass
  drop-connection log
 match request method connect
  drop-connection log
 class BlockDomainsClass
  reset log
 class BlockURLsClass
  reset log

policy-map inside-policy
 class httptraffic
  inspect http http_inspection_policy


service-policy inside-policy interface inside

> Image Update (versions may differ) *Must have TFTP server for update

Code:

Copy tftp disk0
{IP OF TFTP Server}
asa\asa822-k8.bin
asa822-k8.bin

copy tftp disk0
{IP OF TFTP Server}
asa\asdm-625.bin
asdm-625.bin

config t
boot system disk0:/asa822-k8.bin
asdm image disk0:/asdm-625.bin
write mem
show boot

> Basic Configuration *Very Basic*

Code:

no dhcpd enable inside
no dhcpd address 192.168.1.5-192.168.1.254 inside
no dhcpd address 192.168.1.2-192.168.1.129 inside
!
interface Vlan1
 nameif inside
 security-level 100
 ip address {Inside IP} 255.255.255.0
!
!
Hostname {ASA NAME}
!
enable password {Password}
passwd {Password}
!
interface Vlan2
 nameif outside
 security-level 0
 ip address {Outside IP} {Outside Subnet}
!
dns domain-lookup outside
dns server-group DefaultDNS
 name-server {Outside DNS}
 name-server {Outside DNS 2}
!
route outside 0.0.0.0 0.0.0.0 {Gateway} 1
!
!
clock timezone EST -5
!
snmp-server host inside {SNMP Host} community public version 2c
snmp-server location {Location}
snmp-server contact {Contact}
snmp-server community {Community password}
snmp-server enable traps snmp authentication linkup linkdown coldstart
!
tftp-server outside {Outside TFTP Server} {TFTP Image path}
!
telnet {Inside Network} 255.255.255.0 inside
!
no http 192.168.1.0 255.255.255.0 inside
http {Inside Network) 255.255.255.0 inside

just2cool · Apr 26, 2010

Cool idea.

IOS Cookbook is similar. I used to reference it all the time when I was just starting out. It's a great book.

http://www.amazon.com/Cisco-IOS-Cookbook-Cookbooks-OReilly/dp/0596527225

Vito_Corleone · Apr 26, 2010

Interesting idea.

moose517 · Apr 26, 2010

great idea, would love to see what some of the bigger guru's would do for a pretty basic but protected config for an edge router. on my edge router ATM i have basic things turned off and NAT, not sure what else to do and SDM just over does the protection to the point my stuff doesn't work.

kkeirnan · Apr 26, 2010

this is an excellent idea.

jadams · Apr 26, 2010

Is it a MUST to have a radius server with the ASA vpn?

k1pp3r · Apr 26, 2010

jadams said:
Is it a MUST to have a radius server with the ASA vpn?

No, you can use the local database on the ASA for User VPN logins. I always setup with a Radius server

Vito_Corleone · Apr 26, 2010

jadams said:
Is it a MUST to have a radius server with the ASA vpn?

God no.

Captain Colonoscopy · Apr 26, 2010

jadams said:
Is it a MUST to have a radius server with the ASA vpn?

Nope, if you have a windows 2000/2003 domain you can just setup ntauth to authenticate users against AD. Not the best option but it beats local user list. I'm sure there's some security issue there, too.

and my contribution, a template for doing VLAN MAP ACLs on L3 Cisco switches. Assumes you have VLANs 1-4 and you don't want them to be able to talk to each other but still access some other network, like the internets.

Code:

VLAN Map Template
vlan access-map VLAN1_MAP 10
 action drop
 match ip address VLAN1_ACL
vlan access-map VLAN1_MAP 20
 action forward
vlan access-map VLAN2_MAP 10
 action drop
 match ip address VLAN2_ACL
vlan access-map VLAN2_MAP 20
 action forward
vlan access-map VLAN3_MAP 10
 action drop
 match ip address VLAN3_ACL
vlan access-map VLAN3_MAP 20
 action forward
vlan access-map VLAN4_MAP 10
 action drop
 match ip address VLAN4_ACL
vlan access-map VLAN4_MAP 20
 action forward
vlan filter VLAN1_MAP vlan-list 1
vlan filter VLAN2_MAP vlan-list 2
vlan filter VLAN3_MAP vlan-list 3
vlan filter VLAN4_MAP vlan-list 4
ip access-list extended VLAN1_ACL
 permit ip 10.5.11.0 0.0.0.255 10.5.12.0 0.0.0.255
 permit ip 10.5.11.0 0.0.0.255 10.5.13.0 0.0.0.255
 permit ip 10.5.11.0 0.0.0.255 10.5.14.0 0.0.0.255
ip access-list extended VLAN2_ACL
 permit ip 10.5.12.0 0.0.0.255 10.5.11.0 0.0.0.255
 permit ip 10.5.12.0 0.0.0.255 10.5.13.0 0.0.0.255
 permit ip 10.5.12.0 0.0.0.255 10.5.14.0 0.0.0.255
ip access-list extended VLAN3_ACL
 permit ip 10.5.13.0 0.0.0.255 10.5.11.0 0.0.0.255
 permit ip 10.5.13.0 0.0.0.255 10.5.12.0 0.0.0.255
 permit ip 10.5.13.0 0.0.0.255 10.5.14.0 0.0.0.255
ip access-list extended VLAN4_ACL
 permit ip 10.5.14.0 0.0.0.255 10.5.11.0 0.0.0.255
 permit ip 10.5.14.0 0.0.0.255 10.5.12.0 0.0.0.255
 permit ip 10.5.14.0 0.0.0.255 10.5.13.0 0.0.0.255

Captain Colonoscopy · Apr 27, 2010

well, that didn't take long for someone to spam and thread crap...
Posted via [H] Mobile Device

jadams · Apr 27, 2010

For ASA's and port forwarding.

Code:

access-list outside_access_in extended permit {tcp or udp} any interface outside eq {port number}
static (inside,outside) {tcp or udp} interface {port number} {address to forward to} {port number} netmask 255.255.255.255 
access-group outside_access_in in interface outside

so if you wanted to get http access to a webserver on your internal network and it has the ip address of 172.16.0.3 then....

Code:

access-list outside_access_in extended permit tcp any interface outside eq 80
static (inside,outside) tcp interface 80 172.16.0.3 80 netmask 255.255.255.255 
access-group outside_access_in in interface outside

In the 2nd line of code the port number after the ip address is the internal port your service is running on. If for some weird reason your web server was running on port 8080 you would edit the code accordingly.

jadams · Apr 27, 2010

I'd really like to see this thread stay alive

jadams · Apr 27, 2010

For Routers

I reasearched this one when I was in school knowing there was no way a DHCP server resided in every subnet. So how do you get ONE dhcp server to lease out addresses to different subnets???

Code:

conf t 
int fa 0/1
ip helper-address 172.25.1.3
ip helper-address 172.16.20.7

172.16.1.3 and 172.16.20.7 are the addresses of your DHCP servers.

This method forwards dhcp along with many other udp broadcast transmissions. Whats the point of subnets if we're getting all these broadcasts???

Do THIS:

Code:

configure terminal 
no ip forward-protocol udp tftp
no ip forward-protocol udp nameserver
no ip forward-protocol udp domain
no ip forward-protocol udp time
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp tacacs

In order for DHCP to work with the ip-helper command a scope for subnet must be setup in DHCP. I have only personally done this on Windows DHCP servers. I do not know if it will work with others. I don't see why it wouldnt though?

k1pp3r · Apr 28, 2010

I'll throw another one out there for the ASA 5500's

> Using Netflow Analyzer for reading throughput on ASA 8.2(1)

* Note, this uses the default global-policy, the global policy must be applied globally*

Code:

flow-export destination inside {IP Of netflow "Collector"} {Port}
flow-export delay flow-create {Interval in seconds}
flow-export template timeout-rate 1
policy-map global_policy
class class-default
flow-export event-type all destination {IP Of netflow "Collector"}
exit

!To apply the global policy

service-policy global_policy global
write mem

Now to to your netflow collector computer, you can use kiwi syslog, plixer scrutnizer, whatever you prefer to read your thoughput

jadams · Apr 28, 2010

ahh guess I should have specified which devices mine were for. I'll go fix that.

just2cool · Apr 28, 2010

Over a year ago... I did a lot of testing/research on OER/PfR. I'm going to paste a bunch of stuff from the powerpoint I made. It's a great feature to test, you'll learn a lot. I used BGP as my RP (MC influences routes with local pref), but PfR supports OSPF as well.

Read this first: http://www.cisco.com/en/US/prod/col...4/ps6599/ps8787/prod_qas0900aecd806c4f03.html

Basic MC config:

key chain PFRKEY
key 10
key-string password

oer master
policy-rules Tier1 ! Specify specific rules with oer-map
max-range-utilization percent 5 ! Keep all BR exits within 5% utilization
logging
!
border 1.1.1.2 key-chain PFRKEY ! Specify BR with crypto key
interface GigabitEthernet6/1 internal ! Specify interfaces
interface GigabitEthernet6/2 external
max-xmit-utilization percentage 50 ! Keep link utilization below 50%
interface GigabitEthernet1/1 external
max-xmit-utilization percentage 50
!
border 1.1.1.3 key-chain PFRKEY

learn
throughput ! Monitor throughput of prefixes
periodic-interval 0 ! How often a new learning session is started (0 means it will start right after it finishes)
monitor-period 1 ! The amount of time the MC will learn for (minutes)
prefixes 2500 ! Maximum amount of prefixes that can be learned
aggregation-type prefix-length 26 ! When a prefix is learned, it will be inserted and controlled with this CIDR length

oer-map Tier1 5
match traffic-class prefix-list test1
set resolve delay priority 1 variance 20
set resolve utilization priority 2 variance 10
set resolve loss priority 3 variance 5
!

ip prefix-list test1 seq 5 permit 100.0.0.0/24
ip prefix-list test1 seq 10 permit 100.0.1.0/24
ip prefix-list test1 seq 15 permit 100.0.2.0/24
ip prefix-list test1 seq 20 permit 100.0.3.0/24

BR config:

key chain PFRKEY
key 10
key-string password

oer border
logging
local Loopback0
master 1.1.1.1 key-chain PFRKEY

PFR Process:

! PfR brings up border routers
Nov 24 13:54:36.191: %OER_MC-5-NOTICE: System enabled
Nov 24 13:54:36.891: %OER_MC-5-NOTICE: BR 1.1.1.2 UP
Nov 24 13:54:36.975: %OER_MC-5-NOTICE: BR 1.1.1.2 IF Gi0/1 UP
Nov 24 13:54:36.975: %OER_MC-5-NOTICE: BR 1.1.1.2 Active
Nov 24 13:54:37.307: %OER_MC-5-NOTICE: BR 1.1.1.3 UP
Nov 24 13:54:37.315: %OER_MC-5-NOTICE: BR 1.1.1.3 IF Gi0/1 UP
Nov 24 13:54:37.315: %OER_MC-5-NOTICE: BR 1.1.1.3 Active

! MC gathers statistics from BRs
Nov 24 14:24:21.662: %OER_MC-5-NOTICE: Prefix Learning STARTED
Nov 24 14:24:23.654: %OER_MC-5-NOTICE: Prefix Learning WRITING DATA

! MC analyzes stats and makes routing changes (if route control mode is enabled)
Nov 24 14:08:52.699: %OER_MC-5-NOTICE: Route changed Prefix 100.0.2.0/26, BR 1.1.1.2, i/f Gi0/1, Reason Range, OOP Reason Range
Nov 24 14:08:52.703: %OER_MC-5-NOTICE: Route changed Prefix 100.0.1.128/26, BR 1.1.1.3, i/f Gi0/1, Reason Delay, OOP Reason Delay
Nov 24 14:08:52.703: %OER_MC-5-NOTICE: Route changed Prefix 100.0.1.192/26, BR 1.1.1.2, i/f Gi0/1, Reason Range, OOP Reason Range

! MC places prefix into HOLDDOWN for 5 minutes (it cannot change the route again until this expires)
3-BR1-MC#sh oer mast pref | i HOLD
100.0.0.64/26 HOLDDOWN @293 1.1.1.3 Gi0/1 BGP

! MC places prefix into INPOLICY if it satisfies the policy during the HOLDDOWN state
3-BR1-MC#sh oer mast pref | i IN
100.0.0.64/26 INPOLICY @0 1.1.1.3 Gi0/1 BGP

! MC continuously gathers new stats and makes routing changes as necessary
Nov 24 13:58:00.124: %OER_MC-5-NOTICE: Range OOP BR 1.1.1.3, i/f Gi0/1, percent 11
Nov 24 14:01:30.241: %OER_MC-5-NOTICE: Route changed Prefix 100.0.0.0/26, BR 1.1.1.2, i/f Gi0/1, Reason Range, OOP Reason Range

Useful commands:

! Quickly shows the current egress utilization on all exits
sh oer mast bord det | i Tx
Gi5/1 Tx 1000000 500000 43616 4 UP 5
Gi0/1 Tx 1000000 500000 44290 4 UP 4
Gi0/1 Tx 1000000 500000 43684 4 UP 3
Gi6/2 Tx 1000000 500000 31110 3 UP 2
Gi1/1 Tx 1000000 500000 33985 3 UP 1

! Shows which prefixes are in policy and what BR and exit they are residing on
sh oer mast pref | i IN
101.0.0.64/26# INPOLICY @0 1.1.1.3 Gi5/1 BGP
102.0.0.64/26# INPOLICY @0 1.1.1.4 Gi0/1 BGP
103.0.0.64/26# INPOLICY @0 1.1.1.5 Gi0/1 BGP

! Shows which prefixes are in holddown and what BR and exit they are residing on
sh oer mast pref | i HOLD
101.0.2.0/26# HOLDDOWN @237 1.1.1.5 Gi0/1 BGP
102.0.2.0/26# HOLDDOWN @253 1.1.1.4 Gi0/1 BGP
103.0.2.0/26# HOLDDOWN @211 1.1.1.2 Gi1/1 BGP

! Shows all stats, history, and policy information for a prefix
sh oer mast pref x.x.x.x/nn detail
Prefix: 101.0.3.0/26#
State: INPOLICY Time Remaining: @0
Policy: 20
Most recent data per exit
Border Interface PasSDly PasLDly ActSDly ActLDly
*1.1.1.3 Gi5/1 0 0 1 1
1.1.1.2 Gi1/1 0 0 1 1
1.1.1.2 Gi6/2 0 0 1 1

Latest Active Stats on Current Exit:
Type Target TPort Attem Comps DSum Min Max Dly
echo 101.0.3.1 N 1 1 1 1 1 1
echo 101.0.3.1 N 1 1 1 1 1 1

! Uncontrols/resets a certain prefix
clear oer mast pref x.x.x.x/nn
Nov 24 13:33:01.711: %OER_MC-5-NOTICE: Uncontrol Prefix x.x.x.x/nn, Clear one prefix

! Uncontrols/resets all prefixes
clear oer mast pref *
Nov 24 13:54:31.755: %OER_MC-5-NOTICE: Uncontrol prefixes, Clear prefix all

Langly · Apr 28, 2010

This thread should be stickied. Just saiyen

SYN ACK · Apr 28, 2010

id recommend writing the full commands out vs short-hand

k1pp3r · Apr 28, 2010

SYN ACK said:
id recommend writing the full commands out vs short-hand

Good point, i will edit my original post to include that

jadams · Apr 28, 2010

jadams · May 18, 2010

whoops!!! *bumped* into this thread while searching for my own port forwarding template

ADD MORE TEMPLATES!

cyr0n_k0r · May 18, 2010

PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxx encrypted
passwd xxxxxxxxxxxxx encrypted
hostname firewall
no fixup protocol dns
no fixup protocol ftp 21
no fixup protocol h323 h225 1720
no fixup protocol h323 ras 1718-1719
no fixup protocol http 80
no fixup protocol rsh 514
no fixup protocol rtsp 554
no fixup protocol sip 5060
no fixup protocol sip udp 5060
no fixup protocol skinny 2000
no fixup protocol smtp 25
no fixup protocol sqlnet 1521
no fixup protocol tftp 69
names
object-group service web tcp
port-object eq www
object-group service rps tcp
port-object eq www
port-object eq https
port-object range 9101 9120
object-group service rsync tcp
port-object eq ssh
port-object eq 873
object-group service sftp tcp
port-object eq ssh
port-object eq 8080
port-object eq 23560
access-list acl_out permit icmp any any
access-list acl_out permit tcp any host x.x.x.x object-group web
access-list acl_out permit tcp any host x.x.x.x object-group rps
access-list acl_out permit tcp any host x.x.x.x object-group rps
access-list acl_out permit tcp any host x.x.x.x object-group rps
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.x 255.255.255.128
ip address inside 10.1.1.1 255.0.0.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) x.x.x.x 10.1.1.11 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x 10.1.1.21 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x 10.1.1.22 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x 10.1.1.23 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x 10.1.1.24 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x 10.1.1.40 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
snmp-server host inside 10.1.1.11 poll
snmp-server enable traps
tftp-server inside 10.1.1.9 /config.cfg
floodguard enable
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 10
terminal width 80
banner login Login Restricted
Cryptochecksum:d5eedaa5e2833e769b4a37c09530e384
: end

Template for "object groups"
Greatest thing since sliced bread for opening certain ports for large numbers of NAT's.

corge · May 18, 2010

Langly said:
This thread should be stickied. Just saiyen

Agreed.. However, I vote to make it a sub category and then make threads regarding templates for different devices. Examples like Switches, Routers, PIX/ASA, etc..... This would make it easier to search and direct people into the correct thread instead of having to go through many pages of configs until you find what you're looking for.

corge · Jun 13, 2010

Base Config: ASA IPSec Remote Access VPN Template

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

ip local pool RA_VPN_POOL 10.1.200.100-10.1.200.150 mask 255.255.255.0

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto dynamic-map RA_VPN 65535 set transform-set ESP-AES-128-SHA
crypto dynamic-map RA_VPN 65535 set security-association lifetime seconds 28800
crypto dynamic-map RA_VPN 65535 set security-association lifetime kilobytes 4608000

crypto map VPN_MAP 65535 ipsec-isakmp dynamic RA_VPN
crypto map VPN_MAP interface outside

isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400

tunnel-group ITT_RA type remote-access
tunnel-group ITT_RA general-attributes
address-pool RA_VPN_POOL
default-group-policy RA_VPN_GP
tunnel-group ITT_RA ipsec-attributes
pre-shared-key <group key>
group-policy RA_VPN_GP internal
group-policy RA_VPN_GP attributes
wins-server value 10.0.0.1 10.0.0.2
dns-server value 10.0.0.1 10.0.0.2
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
default-domain value mydomain.com
address-pools value RA_VPN_POOL

*Don't forget necessary NAT 0 commands / Split Tunnel ACL

BobSutan · Jun 17, 2010

Good thread. I'll be keeping an eye on it. I'm on board with getting it stickied.

Captain Colonoscopy · Jun 23, 2010

Here's a template for using EZ-VPN that I just whipped up today and thought I'd share. Had to do this for a client that is connecting five sites running ASA5505s back to a central office with an ASA5510. Works swimmingly and they don't have to pay for statics at the remote sites.

EZ-VPN Server Config:

access-list INSIDE_nat0_outbound extended permit ip 172.22.11.0 255.255.255.0 172.22.22.0 255.255.255.0
access-list INSIDE_nat0_outbound extended permit ip 172.22.11.0 255.255.255.0 172.22.33.0 255.255.255.0
access-list INSIDE_nat0_outbound extended permit ip 172.22.11.0 255.255.255.0 172.22.44.0 255.255.255.0

access-list EZ-VPN_splitTunnelAcl standard permit 172.22.22.0 255.255.255.0
access-list EZ-VPN_splitTunnelAcl standard permit 172.22.33.0 255.255.255.0
access-list EZ-VPN_splitTunnelAcl standard permit 172.22.44.0 255.255.255.0

nat (INSIDE) 0 access-list INSIDE_nat0_outbound

group-policy EZ-VPN internal
group-policy EZ-VPN attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value EZ-VPN_splitTunnelAcl
nem enable
webvpn

username EZ-VPN-CLIENT password SuP3RL33tP@55W0Rd

crypto ipsec transform-set EZ-VPN-SET esp-des esp-md5-hmac
crypto dynamic-map EZ-VPN-DYN-MAP 5 set transform-set EZ-VPN-SET
crypto map EZ-VPN-MAP 60 ipsec-isakmp dynamic EZ-VPN-DYN-MAP
crypto map EZ-VPN-MAP interface outside

isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400

isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400

tunnel-group EZ-VPN-TUNNEL type ipsec-ra
tunnel-group EZ-VPN-TUNNEL general-attributes
default-group-policy EZ-VPN
tunnel-group EZ-VPN-TUNNEL ipsec-attributes
pre-shared-key SuP3RL33tP@55W0Rd

EZ-VPN Client Config:

vpnclient server 123.123.123.123 or vpn.domain.com

vpnclient mode network-extension-mode

vpnclient vpngroup EZ-VPN-TUNNEL password SuP3RL33tP@55W0Rd

vpnclient username EZ-VPN-CLIENT password SuP3RL33tP@55W0Rd

vpnclient enable

xphil3 · Jun 24, 2010

i got one

Code:

l33tr0ut3r# conf t
l33tr0ut3r(config)# hostname thisthreadisfuckingworthless
thisthreadisfuckingworthless(config)#exit
thisthreadisfuckingworthless#

in all seriousness, there's so many config templates on cisco.com.. why waste time typing out stuff and searching through stuff here? my .02

Captain Colonoscopy · Jun 24, 2010

party pooper

moose517 · Jun 24, 2010

idk, sometimes its impossible to find stuff on cisco, i think i would rather scroll a few pages here than all through cisco's mess of a site.

jadams · Jun 24, 2010

xphil3 said:
i got one

Code:

l33tr0ut3r# conf t l33tr0ut3r(config)# hostname thisthreadisfuckingworthless thisthreadisfuckingworthless(config)#exit thisthreadisfuckingworthless#

in all seriousness, there's so many config templates on cisco.com.. why waste time typing out stuff and searching through stuff here? my .02

Id ask if you're really serious except you said "in all seriousness". This thread rocks. Sifting through the mumbo jumbo on Cisco's site just to find a straight forward for something in my experience is not always easy.

This thread is to the point on some of the most basic functions for Cisco devices with good explanation of each template usually in the post. Maybe the OP can go back and link each template in the OP to the thread number. That way theres no searching.

xphil3 · Jun 24, 2010

jadams said:
Id ask if you're really serious except you said "in all seriousness". This thread rocks. Sifting through the mumbo jumbo on Cisco's site just to find a straight forward for something in my experience is not always easy.

This thread is to the point on some of the most basic functions for Cisco devices with good explanation of each template usually in the post. Maybe the OP can go back and link each template in the OP to the thread number. That way theres no searching.

the way I look at it, is being a good engineer is being able to navigate through your vendors documentation. Cisco documentation is TOP rate, no mumbo jumbo and seriously easy to find what you need. Maybe you guys just need to spend a bit more time on cco

this thread might be cool for some, I just dont see much value in it unless people start contributing LOTS and LOTS of stuff which is not likely to happen as the expertise pool on hardforums is seriously low when it comes to Cisco. No offense to anyone.

Captain Colonoscopy · Jun 24, 2010

Sure you can cruise around Cisco's site all day and find all kinds of good stuff there. But, it's also nice to see what other real people are doing with their stuff in the real world where public IPs are not 172.16.1.1 . . . .

Lightworker · Jun 24, 2010

While the idea of this thread might not be that bad in principle, it's going to promote bad habits.

Copying and pasting config lines says NOTHING about your ability to properly maintain a secure infrastructure. If you don't understand how to configure a feature in the first place, you really have absolutely no business deploying it. Networking is a highly complex subject and every change can have substantial impacts on the performance, security and resiliency of your network. It's incredibly important that you really understand what it is that you're doing

The Cisco documentation is always there and it's really not hard to find. Those docs at least explain the components of the samples they show you and discuss the ramifications of configuration changes.

I'm not trying to be the party pooper here, just throwing in a word of caution

jadams · Jun 25, 2010

^ As long as you understand the concept behind what you're copying and pasting there is absolutely no difference between doing that way or typing it all in manually.

xphil3 said:
the way I look at it, is being a good engineer is being able to navigate through your vendors documentation. Cisco documentation is TOP rate, no mumbo jumbo and seriously easy to find what you need. Maybe you guys just need to spend a bit more time on cco

this thread might be cool for some, I just dont see much value in it unless people start contributing LOTS and LOTS of stuff which is not likely to happen as the expertise pool on hardforums is seriously low when it comes to Cisco. No offense to anyone.

The way I look at it, is being a good engineer is being able to find the answers to your problems regardless of where you find it. The vendor's documentation can be helpful but its not my first for last source of information that I look to. My experience with the Cisco site differs from your description.

This thread would be meant for people who are in this line if work but may not be involved with Cisco devices every day. I, myself, am in the phone recording business. One of the telephony environments we record is Cisco Voice, and under normal circumstances the customer should have their network setup for us before hand. Its not always the case and soemtimes I'm left troubleshooting. Other than the occasional install and having setup the ASA here in the office I'll never see Cisco devices. I have basic Cisco knowledge, but when I was tasked with setting up VPN on this device I was lost and the Cisco site was absolutely no help to me. It wasnt until the OP helped me in another thread with a template that I was able to get it working. I understand all the parts of the template but would have never been able to put it all together on my own

THANKS K1PP3R

xphil3 · Jun 25, 2010

jadams said:
The way I look at it, is being a good engineer is being able to find the answers to your problems regardless of where you find it. The vendor's documentation can be helpful but its not my first for last source of information that I look to. My experience with the Cisco site differs from your description.

Your vendor documentation shouldn't be your last source of information, I didn't say that.. but it should be the very first place that you check before coming to a forum without first knowing the technology. The fact is, almost always CCO will be your first and last point of reference if you do indeed know the technology you are working with.

again, if you can't find what you're looking for on CCO you're not versed with it and need to spend more time. I can find anything that I want to, when I want to within a few minutes. Someone asked me about interconnects for multishelf CRS systems last night

, I knew there was some type of proprietary interface for fabric inter-connectivity but didn't know exactly what it was... 10 minutes later I know the type of interface it was, what technology it used and how to configure and migrate your single chassis systems to multishelf. Lean to use the tools that the vendors offer, it make a world of difference, and is much better than just blindly pasting in some template that worked for someone.

remember, just becuase it works for someone else dosen't mean its going to work for you.

jadams said:
This thread would be meant for people who are in this line if work but may not be involved with Cisco devices every day. I, myself, am in the phone recording business. One of the telephony environments we record is Cisco Voice, and under normal circumstances the customer should have their network setup for us before hand. Its not always the case and soemtimes I'm left troubleshooting. Other than the occasional install and having setup the ASA here in the office I'll never see Cisco devices. I have basic Cisco knowledge, but when I was tasked with setting up VPN on this device I was lost and the Cisco site was absolutely no help to me. It wasnt until the OP helped me in another thread with a template that I was able to get it working. I understand all the parts of the template but would have never been able to put it all together on my own

THANKS K1PP3R

You just proved lightworker and my point, this thread will lead to laziness and complete lack of knowledge of the technology that you are implementing. If you are not going to take the time to read thoroughly though the documentation on the technology you are using then you have no right nor purpose on that particular box. This might be a bit harsh, but this is the real world here and the reason "RTFM" was coined. Lastly, if you understood all the parts of the template(technology wise) you should have been able to put it together.

Captain Colonoscopy · Jun 25, 2010

I am lazy and eat children

jadams · Jun 25, 2010

xphil3 said:
Your vendor documentation shouldn't be your last source of information, I didn't say that.. but it should be the very first place that you check before coming to a forum without first knowing the technology. The fact is, almost always CCO will be your first and last point of reference if you do indeed know the technology you are working with.

again, if you can't find what you're looking for on CCO you're not versed with it and need to spend more time. I can find anything that I want to, when I want to within a few minutes. Someone asked me about interconnects for multishelf CRS systems last night , I knew there was some type of proprietary interface for fabric inter-connectivity but didn't know exactly what it was... 10 minutes later I know the type of interface it was, what technology it used and how to configure and migrate your single chassis systems to multishelf. Lean to use the tools that the vendors offer, it make a world of difference, and is much better than just blindly pasting in some template that worked for someone.

remember, just becuase it works for someone else dosen't mean its going to work for you.

You just proved lightworker and my point, this thread will lead to laziness and complete lack of knowledge of the technology that you are implementing. If you are not going to take the time to read thoroughly though the documentation on the technology you are using then you have no right nor purpose on that particular box. This might be a bit harsh, but this is the real world here and the reason "RTFM" was coined. Lastly, if you understood all the parts of the template(technology wise) you should have been able to put it together.

Apparently we're taking each other out of context or just not understanding each other. Which is fine, but im not gonna continue a useless debate. Obviously we disagree about the usefulness of this thread. Either way, this thread is for templates. So kindly contribute, or just ignore the thread.

The Cisco Template thread

[H]F Junkie

Gawd

[H]ard|Gawd

Gawd

n00b

2[H]4U

[H]F Junkie

[H]ard|Gawd

2[H]4U

2[H]4U

2[H]4U

2[H]4U

2[H]4U

[H]F Junkie

2[H]4U

Gawd

Supreme [H]ardness

[H]ard|Gawd

[H]F Junkie

2[H]4U

2[H]4U

Supreme [H]ardness

Limp Gawd

Limp Gawd

[H]F Junkie

2[H]4U

[H]ard|Gawd

2[H]4U

Gawd

2[H]4U

[H]ard|Gawd

2[H]4U

Limp Gawd

2[H]4U

[H]ard|Gawd

2[H]4U

2[H]4U