Configurar Red VPN entre 9 oficinas usando equipos CISCO

Saludos a todos, antes que nada quiero presentarme, me llamo Ivan y soy soporte tcnico de una empresa informtica, me uno al foro para aportar un tema el cual no creo haber encontrado aqu, o al menos no he dado con las palabras adecuadas para que me lo muestre durante las busquedas. Quiero felicitar a toda esta comunidad por los aportes que hacen, creo que es uno de los mejores foros que he encontrado en cuanto a calidad de participantes y quiero aportar mi grano de arena para hacer que siga siendo de las mejores. Bueno, luego de los halagos pertinentes, voy al tema que me preocupa. En la empresa que trabajo me encargaron configurar una red vpn entre 9 oficinas (1 central y 8 sucursales), normalmente trabajo con equipos netgear, pero en el primer encuentro con los equipos me encuentro con 1 x cisco 1841 y 8 x cisco 877. Pese a avisar que nunca haba configurado routers cisco y que eran tremendamente complicados pero a la vez eran de lo mejor que haba en el mercado (probablemente esto ltimo no me ayud a convencerles del cambio :P) me encomendaron la configuracin de los mismos. Me dieron 7 das, el tema es que ya pasaron 15 y estoy que me corto las venas pues no consigo hacer funcionar correctamente esta vpn. La vpn tiene que ofrecer: voz sobre ip (lo que me obliga a configurar qos) datos (escritorio remoto al servidor de la central) permitir ver cmaras ip a traves de la misma. interconexin entre las sucursales, entiendase que la sucursal b pueda acceder a las sucursales c,d,e,f,g y h aparte de la central que es a La topologa que hice fue en estrella. El router central, el 1841 tiene Cisco IOS Software, 1841 Software (C1841-ADVSECURITYK9-M), Version 12.4(15)T9, RELEASE SOFTWARE (fc5). Los routers de sucursales, los 877 tienen Cisco IOS Software, C870 Software (C870-ADVSECURITYK9-M), Version 12.4(15)T9, RELEASE SOFTWARE (fc5). He utilizado la nomenclatura a.a.a.a para indicar la ip pblica de la oficina a, se aplica la misma regla para todas las oficinas (b.b.b.b para sucursal b, c.c.c.c para sucursal c, etc) He utilizado SDM para la configuracin de los tneles. La configuracin del 1841 es esta: ! version 12.4 no service pad service tcp-keepalives-in

service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname VPN_01 ! boot-start-marker boot-end-marker ! security authentication failure rate 3 log security passwords min-length 6 logging buffered 51200 logging console critical enable secret 5 xxxxxxxxxxxxxx ! no aaa new-model clock timezone PCTime 1 clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00 dot11 syslog no ip source-route ip cef ! ! no ip dhcp use vrf connected ip dhcp excluded-address 192.168.4.254 ! ip dhcp pool sdm-pool1 import all network 192.168.4.0 255.255.255.0 dns-server 80.58.0.33 80.58.32.97 default-router 192.168.4.254 ! ! no ip bootp server ip domain name dominio.local ip name-server 80.58.0.33

ip name-server 80.58.32.97 ! multilink bundle-name authenticated ! crypto pki trustpoint TP-self-signed-2868054754 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-2868054754 revocation-check none rsakeypair TP-self-signed-2868054754 ! ! ! ! ! username root privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxx archive log config hidekeys ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key XXXXXXXX address b.b.b.b crypto isakmp key XXXXXXXX address c.c.c.c crypto isakmp key XXXXXXXX address d.d.d.d crypto isakmp key XXXXXXXX address e.e.e.e crypto isakmp key XXXXXXXX address f.f.f.f crypto isakmp key XXXXXXXX address g.g.g.g crypto isakmp key XXXXXXXX address h.h.h.h ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA5 esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA6 esp-3des esp-sha-hmac ! crypto map SDM_CMAP_1 1 ipsec-isakmp description Tunnel tob.b.b.b set peer b.b.b.b set transform-set ESP-3DES-SHA match address 101 crypto map SDM_CMAP_1 2 ipsec-isakmp description Tunnel toc.c.c.c set peer c.c.c.c set transform-set ESP-3DES-SHA1 match address 105 crypto map SDM_CMAP_1 3 ipsec-isakmp description Tunnel tod.d.d.d set peer d.d.d.d set transform-set ESP-3DES-SHA2 match address 107 crypto map SDM_CMAP_1 4 ipsec-isakmp description Tunnel toe.e.e.e set peer e.e.e.e set transform-set ESP-3DES-SHA3 match address 109 crypto map SDM_CMAP_1 5 ipsec-isakmp description Tunnel tof.f.f.f set peer f.f.f.f set transform-set ESP-3DES-SHA4 match address 111 crypto map SDM_CMAP_1 6 ipsec-isakmp description Tunnel tog.g.g.g set peer g.g.g.g set transform-set ESP-3DES-SHA5 match address 113 crypto map SDM_CMAP_1 7 ipsec-isakmp description Tunnel toh.h.h.h set peer h.h.h.h set transform-set ESP-3DES-SHA6 match address 115

! ! ! ip tcp synwait-time 10 ip ssh time-out 60 ip ssh authentication-retries 2 ! class-map type inspect match-all sdm-cls-VPNOutsideToInside-1 match access-group 103 class-map type inspect match-all sdm-cls-VPNOutsideToInside-3 match access-group 108 class-map type inspect match-all sdm-cls-VPNOutsideToInside-2 match access-group 106 class-map type inspect match-all sdm-cls-VPNOutsideToInside-5 match access-group 112 class-map type inspect match-all sdm-cls-VPNOutsideToInside-4 match access-group 110 class-map type inspect match-all sdm-cls-VPNOutsideToInside-7 match access-group 116 class-map type inspect match-all sdm-cls-VPNOutsideToInside-6 match access-group 114 class-map type inspect match-any SDM_AH match access-group name SDM_AH class-map type inspect match-any sdm-cls-insp-traffic match protocol cuseeme match protocol dns match protocol ftp match protocol h323 match protocol https match protocol icmp match protocol imap match protocol pop3 match protocol netshow match protocol shell match protocol realmedia match protocol rtsp match protocol smtp extended match protocol sql-net

match protocol streamworks match protocol tftp match protocol vdolive match protocol tcp match protocol udp class-map type inspect match-all sdm-insp-traffic match class-map sdm-cls-insp-traffic class-map type inspect match-any SDM_ESP match access-group name SDM_ESP class-map type inspect match-any SDM_VPN_TRAFFIC match protocol isakmp match protocol ipsec-msft match class-map SDM_AH match class-map SDM_ESP class-map type inspect match-all SDM_VPN_PT match access-group 102 match class-map SDM_VPN_TRAFFIC class-map type inspect match-any sdm-cls-icmp-access match protocol icmp match protocol tcp match protocol udp class-map type inspect match-all sdm-invalid-src match access-group 100 class-map type inspect match-all sdm-icmp-access match class-map sdm-cls-icmp-access class-map type inspect match-all sdm-protocol-http match protocol http ! ! policy-map type inspect sdm-permit-icmpreply class type inspect sdm-icmp-access inspect class class-default pass policy-map type inspect sdm-pol-VPNOutsideToInside-1 class type inspect sdm-cls-VPNOutsideToInside-1 inspect class type inspect sdm-cls-VPNOutsideToInside-2

inspect class type inspect sdm-cls-VPNOutsideToInside-3 inspect class type inspect sdm-cls-VPNOutsideToInside-4 inspect class type inspect sdm-cls-VPNOutsideToInside-5 inspect class type inspect sdm-cls-VPNOutsideToInside-6 inspect class type inspect sdm-cls-VPNOutsideToInside-7 inspect class class-default policy-map type inspect sdm-inspect class type inspect sdm-invalid-src drop log class type inspect sdm-insp-traffic inspect class type inspect sdm-protocol-http inspect class class-default policy-map type inspect sdm-permit class type inspect SDM_VPN_PT pass class class-default ! zone security out-zone zone security in-zone zone-pair security sdm-zp-self-out source self destination out-zone service-policy type inspect sdm-permit-icmpreply zone-pair security sdm-zp-out-self source out-zone destination self service-policy type inspect sdm-permit zone-pair security sdm-zp-in-out source in-zone destination out-zone service-policy type inspect sdm-inspect zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone service-policy type inspect sdm-pol-VPNOutsideToInside-1 ! ! !

interface FastEthernet0/0 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_LAN$$FW_INSIDE$ ip address 192.168.4.254 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly zone-member security in-zone ip route-cache flow ip tcp adjust-mss 1412 duplex auto speed auto no mop enabled ! interface FastEthernet0/1 no ip address no ip redirects no ip unreachables no ip proxy-arp ip route-cache flow shutdown duplex auto speed auto no mop enabled ! interface ATM0/1/0 no ip address no ip redirects no ip unreachables no ip proxy-arp ip route-cache flow no atm ilmi-keepalive dsl operating-mode auto ! interface ATM0/1/0.1 point-to-point description $ES_WAN$$FW_OUTSIDE$ pvc 8/32

pppoe-client dial-pool-number 1 ! ! interface Dialer0 description $FW_OUTSIDE$ ip address negotiated no ip redirects no ip unreachables no ip proxy-arp ip mtu 1452 ip nat outside ip virtual-reassembly zone-member security out-zone encapsulation ppp ip route-cache flow dialer pool 1 dialer-group 1 ppp authentication chap pap callin ppp chap hostname adslppp@telefonicanetpa ppp chap password 7 00051715084B1B16 ppp pap sent-username adslppp@telefonicanetpa password 7 01120217571B161F crypto map SDM_CMAP_1 ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 Dialer0 ! ! ip http server ip http access-class 23 ip http authentication local ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload ! ip access-list extended SDM_AH remark SDM_ACL Category=1 permit ahp any any ip access-list extended SDM_ESP

remark SDM_ACL Category=1 permit esp any any ! logging trap debugging access-list 1 remark INSIDE_IF=FastEthernet0/0 access-list 1 remark SDM_ACL Category=2 access-list 1 permit 192.168.4.0 0.0.0.255 access-list 100 remark SDM_ACL Category=128 access-list 100 permit ip host 255.255.255.255 any access-list 100 permit ip 127.0.0.0 0.255.255.255 any access-list 101 remark SDM_ACL Category=4 access-list 101 remark IPSec Rule access-list 101 permit ip 192.168.4.0 0.0.0.255 192.168.10.0 0.0.0.255 access-list 102 remark SDM_ACL Category=128 access-list 102 permit ip host b.b.b.b any access-list 102 permit ip host c.c.c.c any access-list 102 permit ip host d.d.d.d any access-list 102 permit ip host e.e.e.e any access-list 102 permit ip host f.f.f.f any access-list 102 permit ip host g.g.g.g any access-list 102 permit ip host h.h.h.h any access-list 103 remark SDM_ACL Category=0 access-list 103 remark IPSec Rule access-list 103 permit ip 192.168.10.0 0.0.0.255 192.168.4.0 0.0.0.255 access-list 104 remark SDM_ACL Category=2 access-list 104 remark IPSec Rule access-list 104 deny ip 192.168.4.0 0.0.0.255 192.168.9.0 0.0.0.255 access-list 104 remark IPSec Rule access-list 104 deny ip 192.168.4.0 0.0.0.255 192.168.11.0 0.0.0.255 access-list 104 remark IPSec Rule access-list 104 deny ip 192.168.4.0 0.0.0.255 192.168.12.0 0.0.0.255 access-list 104 remark IPSec Rule access-list 104 deny ip 192.168.4.0 0.0.0.255 192.168.5.0 0.0.0.255 access-list 104 remark IPSec Rule access-list 104 deny ip 192.168.4.0 0.0.0.255 192.168.13.0 0.0.0.255 access-list 104 remark IPSec Rule access-list 104 deny ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 104 remark IPSec Rule

access-list 104 deny ip 192.168.4.0 0.0.0.255 192.168.10.0 0.0.0.255 access-list 104 permit ip 192.168.4.0 0.0.0.255 any access-list 105 remark SDM_ACL Category=4 access-list 105 remark IPSec Rule access-list 105 permit ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 106 remark SDM_ACL Category=0 access-list 106 remark IPSec Rule access-list 106 permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255 access-list 106 remark IPSec Rule access-list 106 permit ip 192.168.10.0 0.0.0.255 192.168.4.0 0.0.0.255 access-list 107 remark SDM_ACL Category=4 access-list 107 remark IPSec Rule access-list 107 permit ip 192.168.4.0 0.0.0.255 192.168.13.0 0.0.0.255 access-list 108 remark SDM_ACL Category=0 access-list 108 remark IPSec Rule access-list 108 permit ip 192.168.13.0 0.0.0.255 192.168.4.0 0.0.0.255 access-list 108 remark IPSec Rule access-list 108 permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255 access-list 108 remark IPSec Rule access-list 108 permit ip 192.168.10.0 0.0.0.255 192.168.4.0 0.0.0.255 access-list 109 remark SDM_ACL Category=4 access-list 109 remark IPSec Rule access-list 109 permit ip 192.168.4.0 0.0.0.255 192.168.5.0 0.0.0.255 access-list 110 remark SDM_ACL Category=0 access-list 110 remark IPSec Rule access-list 110 permit ip 192.168.5.0 0.0.0.255 192.168.4.0 0.0.0.255 access-list 110 remark IPSec Rule access-list 110 permit ip 192.168.13.0 0.0.0.255 192.168.4.0 0.0.0.255 access-list 110 remark IPSec Rule access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255 access-list 110 remark IPSec Rule access-list 110 permit ip 192.168.10.0 0.0.0.255 192.168.4.0 0.0.0.255 access-list 111 remark SDM_ACL Category=4 access-list 111 remark IPSec Rule access-list 111 permit ip 192.168.4.0 0.0.0.255 192.168.12.0 0.0.0.255 access-list 112 remark SDM_ACL Category=0 access-list 112 remark IPSec Rule access-list 112 permit ip 192.168.12.0 0.0.0.255 192.168.4.0 0.0.0.255

access-list 112 remark IPSec Rule access-list 112 permit ip 192.168.5.0 0.0.0.255 192.168.4.0 0.0.0.255 access-list 112 remark IPSec Rule access-list 112 permit ip 192.168.13.0 0.0.0.255 192.168.4.0 0.0.0.255 access-list 112 remark IPSec Rule access-list 112 permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255 access-list 112 remark IPSec Rule access-list 112 permit ip 192.168.10.0 0.0.0.255 192.168.4.0 0.0.0.255 access-list 113 remark SDM_ACL Category=4 access-list 113 remark IPSec Rule access-list 113 permit ip 192.168.4.0 0.0.0.255 192.168.11.0 0.0.0.255 access-list 114 remark SDM_ACL Category=0 access-list 114 remark IPSec Rule access-list 114 permit ip 192.168.11.0 0.0.0.255 192.168.4.0 0.0.0.255 access-list 114 remark IPSec Rule access-list 114 permit ip 192.168.12.0 0.0.0.255 192.168.4.0 0.0.0.255 access-list 114 remark IPSec Rule access-list 114 permit ip 192.168.5.0 0.0.0.255 192.168.4.0 0.0.0.255 access-list 114 remark IPSec Rule access-list 114 permit ip 192.168.13.0 0.0.0.255 192.168.4.0 0.0.0.255 access-list 114 remark IPSec Rule access-list 114 permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255 access-list 114 remark IPSec Rule access-list 114 permit ip 192.168.10.0 0.0.0.255 192.168.4.0 0.0.0.255 access-list 115 remark SDM_ACL Category=4 access-list 115 remark IPSec Rule access-list 115 permit ip 192.168.4.0 0.0.0.255 192.168.9.0 0.0.0.255 access-list 116 remark SDM_ACL Category=0 access-list 116 remark IPSec Rule access-list 116 permit ip 192.168.9.0 0.0.0.255 192.168.4.0 0.0.0.255 access-list 116 remark IPSec Rule access-list 116 permit ip 192.168.11.0 0.0.0.255 192.168.4.0 0.0.0.255 access-list 116 remark IPSec Rule access-list 116 permit ip 192.168.12.0 0.0.0.255 192.168.4.0 0.0.0.255 access-list 116 remark IPSec Rule access-list 116 permit ip 192.168.5.0 0.0.0.255 192.168.4.0 0.0.0.255 access-list 116 remark IPSec Rule access-list 116 permit ip 192.168.13.0 0.0.0.255 192.168.4.0 0.0.0.255

access-list 116 remark IPSec Rule access-list 116 permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255 access-list 116 remark IPSec Rule access-list 116 permit ip 192.168.10.0 0.0.0.255 192.168.4.0 0.0.0.255 dialer-list 1 protocol ip permit no cdp run ! ! route-map SDM_RMAP_1 permit 1 match ip address 104 ! ! ! control-plane ! banner exec % Password expiration warning. ----------------------------------------------------------------------Cisco Router and Security Device Manager (SDM) is installed on this device and it provides the default username "cisco" for one-time use. If you have already used the username "cisco" to login to the router and your IOS image supports the "one-time" user option, then this username has already expired. You will not be able to login to the router with this username after you exit this session. It is strongly suggested that you create a new username with a privilege level of 15 using the following command. username privilege 15 secret 0 Replace and with the username and password you want to use. ----------------------------------------------------------------------banner login Authorized access only! Disconnect IMMEDIATELY if you are not an authorized user! !

line con 0 login local transport output telnet line aux 0 login local transport output telnet line vty 0 4 privilege level 15 login local transport input telnet ssh line vty 5 15 privilege level 15 login local transport input telnet ssh ! scheduler allocate 4000 1000 end La de los 877 es sta. ! version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname VPN_02 ! boot-start-marker boot-end-marker ! logging buffered 51200 logging console critical enable secret 5 xxxxxxxxxxxxxxx

! no aaa new-model clock timezone PCTime 1 clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00 ! crypto pki trustpoint TP-self-signed-1910646750 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-1910646750 revocation-check none rsakeypair TP-self-signed-1910646750 ! ! dot11 syslog no ip source-route ip cef no ip dhcp use vrf connected ip dhcp excluded-address 192.168.12.1 ! ip dhcp pool sdm-pool1 import all network 192.168.12.0 255.255.255.0 dns-server 80.58.0.33 80.58.32.97 default-router 192.168.12.1 ! ! no ip bootp server ip domain name dominio.local ip name-server 80.58.0.33 ip name-server 80.58.32.97 ! ! ! username root privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxx ! ! crypto isakmp policy 1 encr 3des authentication pre-share

group 2 crypto isakmp key XXXXXXXXX address a.a.a.a ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec df-bit clear ! crypto map SDM_CMAP_1 1 ipsec-isakmp description Tunnel toaaa.aaa.aaa.aaa set peer aaa.aaa.aaa.aaa set transform-set ESP-3DES-SHA match address 101 ! archive log config hidekeys ! ! ip tcp synwait-time 10 ip ssh time-out 60 ip ssh authentication-retries 2 ! class-map type inspect match-all sdm-cls-VPNOutsideToInside-1 match access-group 103 class-map type inspect match-any SDM_HTTPS match access-group name SDM_HTTPS class-map type inspect match-any SDM_SSH match access-group name SDM_SSH class-map type inspect match-any SDM_SHELL match access-group name SDM_SHELL class-map type inspect match-any sdm-cls-access match class-map SDM_HTTPS match class-map SDM_SSH match class-map SDM_SHELL class-map type inspect match-all sdm-cls-VPNOutsideToInside-2 match access-group 107 class-map type inspect match-any SDM_AH match access-group name SDM_AH

class-map type inspect match-any sdm-cls-insp-traffic match protocol cuseeme match protocol dns match protocol ftp match protocol h323 match protocol https match protocol icmp match protocol imap match protocol pop3 match protocol netshow match protocol shell match protocol realmedia match protocol rtsp match protocol smtp extended match protocol sql-net match protocol streamworks match protocol tftp match protocol vdolive match protocol tcp match protocol udp class-map type inspect match-all sdm-insp-traffic match class-map sdm-cls-insp-traffic class-map type inspect match-any SDM_ESP match access-group name SDM_ESP class-map type inspect match-any SDM_VPN_TRAFFIC match protocol isakmp match protocol ipsec-msft match class-map SDM_AH match class-map SDM_ESP class-map type inspect match-all SDM_VPN_PT match access-group 102 match class-map SDM_VPN_TRAFFIC class-map type inspect match-any SDM-Voice-permit match protocol h323 match protocol skinny match protocol sip class-map type inspect match-all SDM_VPN_PT0 match access-group 106

match class-map SDM_VPN_TRAFFIC class-map type inspect match-any sdm-cls-icmp-access match protocol icmp match protocol tcp match protocol udp class-map type inspect match-all sdm-access match class-map sdm-cls-access match access-group 105 class-map type inspect match-all sdm-invalid-src match access-group 100 class-map type inspect match-all sdm-icmp-access match class-map sdm-cls-icmp-access class-map type inspect match-all sdm-protocol-http match protocol http ! ! policy-map type inspect sdm-permit-icmpreply class type inspect sdm-icmp-access inspect class class-default pass policy-map type inspect sdm-pol-VPNOutsideToInside-1 class type inspect sdm-cls-VPNOutsideToInside-1 inspect class type inspect sdm-cls-VPNOutsideToInside-2 inspect class class-default policy-map type inspect sdm-inspect class type inspect sdm-invalid-src drop log class type inspect sdm-insp-traffic inspect class type inspect sdm-protocol-http inspect class type inspect SDM-Voice-permit inspect class class-default pass

policy-map type inspect sdm-permit class type inspect SDM_VPN_PT0 pass class type inspect sdm-access inspect class class-default ! zone security out-zone zone security in-zone zone-pair security sdm-zp-self-out source self destination out-zone service-policy type inspect sdm-permit-icmpreply zone-pair security sdm-zp-out-self source out-zone destination self service-policy type inspect sdm-permit zone-pair security sdm-zp-in-out source in-zone destination out-zone service-policy type inspect sdm-inspect zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone service-policy type inspect sdm-pol-VPNOutsideToInside-1 ! ! ! interface ATM0 no ip address no ip redirects no ip unreachables no ip proxy-arp ip route-cache flow no atm ilmi-keepalive dsl operating-mode auto ! interface ATM0.1 point-to-point description $ES_WAN$$FW_OUTSIDE$ pvc 8/32 pppoe-client dial-pool-number 1 ! ! interface FastEthernet0 ! interface FastEthernet1

! interface FastEthernet2 ! interface FastEthernet3 ! interface Vlan1 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$ ip address 192.168.12.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip mtu 1492 ip nat inside ip virtual-reassembly zone-member security in-zone ip route-cache flow ip tcp adjust-mss 1452 ! interface Dialer0 description $FW_OUTSIDE$ ip address negotiated no ip redirects no ip unreachables no ip proxy-arp ip mtu 1492 ip nat outside ip virtual-reassembly zone-member security out-zone encapsulation ppp ip route-cache flow dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap pap callin ppp chap hostname adslppp@telefonicanetpa ppp chap password 7 01120217571B161F ppp pap sent-username adslppp@telefonicanetpa password 7 03055F180A1F315C crypto map SDM_CMAP_1

! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 Dialer0 ! ip http server ip http access-class 23 ip http authentication local ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload ! ip access-list extended SDM_AH remark SDM_ACL Category=1 permit ahp any any ip access-list extended SDM_ESP remark SDM_ACL Category=1 permit esp any any ip access-list extended SDM_HTTPS remark SDM_ACL Category=1 permit tcp any any eq 443 ip access-list extended SDM_SHELL remark SDM_ACL Category=1 permit tcp any any eq cmd ip access-list extended SDM_SSH remark SDM_ACL Category=1 permit tcp any any eq 22 ! logging trap debugging access-list 1 remark INSIDE_IF=Vlan1 access-list 1 remark SDM_ACL Category=2 access-list 1 permit 192.168.12.0 0.0.0.255 access-list 100 remark SDM_ACL Category=128 access-list 100 permit ip host 255.255.255.255 any access-list 100 permit ip 127.0.0.0 0.255.255.255 any access-list 101 remark SDM_ACL Category=4 access-list 101 remark IPSec Rule access-list 101 permit ip 192.168.12.0 0.0.0.255 192.168.4.0 0.0.0.255 access-list 102 remark SDM_ACL Category=128

access-list 102 permit ip host 217.125.40.108 any access-list 103 remark SDM_ACL Category=0 access-list 103 remark IPSec Rule access-list 103 permit ip 192.168.4.0 0.0.0.255 192.168.12.0 0.0.0.255 access-list 104 remark SDM_ACL Category=2 access-list 104 remark IPSec Rule access-list 104 deny ip 192.168.12.0 0.0.0.255 192.168.4.0 0.0.0.255 access-list 104 permit ip 192.168.12.0 0.0.0.255 any access-list 105 remark SDM_ACL Category=128 access-list 105 permit ip any any access-list 106 remark SDM_ACL Category=128 access-list 106 permit ip host 217.125.40.108 any access-list 107 remark SDM_ACL Category=0 access-list 107 remark IPSec Rule access-list 107 permit ip 192.168.4.0 0.0.0.255 192.168.12.0 0.0.0.255 dialer-list 1 protocol ip permit no cdp run ! ! route-map SDM_RMAP_1 permit 1 match ip address 104 ! ! control-plane ! banner exec ^C % Password expiration warning. ----------------------------------------------------------------------Cisco Router and Security Device Manager (SDM) is installed on this device and it provides the default username "cisco" for one-time use. If you have already used the username "cisco" to login to the router and your IOS image supports the "one-time" user option, then this username has already expired. You will not be able to login to the router with this username after you exit this session. It is strongly suggested that you create a new username with a privilege level of 15 using the following command.

username privilege 15 secret 0 Replace and with the username and password you want to use. ----------------------------------------------------------------------^C banner login ^CAuthorized access only! Disconnect IMMEDIATELY if you are not an authorized user!^C ! line con 0 login local no modem enable transport output telnet line aux 0 login local transport output telnet line vty 0 4 privilege level 15 login local transport input telnet ssh ! scheduler max-task-time 5000 scheduler allocate 4000 1000 scheduler interval 500 end Los problemas que tengo: Consigo crear los tneles, puedo acceder a los archivos a traves de la ip entre la central y las sucursales (no lo consigo con el nombre del host, presumo que tiene que ver con dns) pero no consigo acceder a los ordenadores entre sucursales. No puedo usar el programa de grabacin de video pues no logro acceder a las cmaras desde el mismo, al intentar acceder via web me aparece el ttulo de la pgina (en la barra de ttulos) pero se me queda en blanco y no llega a cargar la pgina en s. los 877 no me permiten configurar QoS pues el SDM me dice que no tienen esa opcin, pero los que me la vendieron aseguran que s. los telfonos ip funcionan cuando llaman a la centralita que est colgada del 1841, pero no pueden hablar entre sucursales.

Bueno, bsicamente esto es todo lo que puedo decir, ya se que no es problema vuestro, pero estoy DESESPERADO con este problema, es un cliente grande e importante y mi cabeza parece estar en juego. Agradecer cualquier ayuda que podais brindarme.