IPTABLES
echo "1" > /proc/sys/net/ipv4/ip_forward
route add -net 30.30.30.0 net netmask 255.255.255.0 dev wlan0
route add -net 40.40.40.0 net netmask 255.255.255.0 dev eth0
route add default gw 40.40.40.254 eth0
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -s 30.30.30.0/24 -i wlan0 -j ACCEPT
iptables -N FWD-30-1
iptables -A FORWARD -s 30.30.30.11 -j FWD-30-1
iptables -A FORWARD -d 30.30.30.11 -j FWD-30-1
iptables -N FWD-30-2
iptables -A FORWARD -s 30.30.30.22 -j FWD-30-2
iptables -A FORWARD -d 30.30.30.22 -j FWD-30-2
iptables -A FWD-30-1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FWD-30-1 -s 30.30.30.11 -d 20.20.20.20 -p tcp --dport 80 -j ACCEPT
iptables -A FWD-30-1 -s 30.30.30.11 -d 20.20.20.20 -p icmp --icmp-type echo-request -j ACCEPT
iptables -A FWD-30-1 -s 30.30.30.11 -d 100.100.100.100 -p tcp --dport 23 -j ACCEPT
iptables -A FWD-30-1 -s 30.30.30.11 -d 200.200.200.200 -p tcp --dport 23 -j ACCEPT
iptables -A FWD-30-1 -s 30.30.30.11 -d 20.20.20.20 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 30.30.30.11 -d 30.30.30.1 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 30.30.30.11 -d 30.30.30.1 -p tcp --dport 23 -j ACCEPT
iptables -A INPUT -s 30.30.30.22 -d 30.30.30.1 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 30.30.30.22 -d 30.30.30.1 -p tcp --dport 23 -j ACCEPT
iptables -A INPUT -s 10.10.10.11 -d 30.30.30.1 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 10.10.10.11 -d 30.30.30.1 -p tcp --dport 23 -j ACCEPT
iptables -A INPUT -s 10.10.10.22 -d 30.30.30.1 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 10.10.10.22 -d 30.30.30.1 -p tcp --dport 23 -j ACCEPT
iptables -A FWD-30-2 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FWD-30-2 -s 30.30.30.22 -d 20.20.20.20 -p tcp --dport 80 -j ACCEPT
iptables -A FWD-30-2 -s 30.30.30.22 -d 20.20.20.20 -p tcp --dport 21 -j ACCEPT
iptables -A FWD-30-2 -s 30.30.30.22 -d 20.20.20.20 -p icmp --icmp-type echo-request -j ACCEPT
iptables -A FWD-30-2 -s 30.30.30.22 -d 100.100.100.100 -p tcp --dport 23 -j ACCEPT
iptables -A FWD-30-2 -s 30.30.30.22 -d 200.200.200.200 -p tcp --dport 23 -j ACCEPT
iptables -A FWD-30-2 -s 30.30.30.22 -d 20.20.20.20 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 30.30.30.22 -d 30.30.30.1 -p tcp --dport 22 -j ACCEPT
ACCESS LIST
enable password cisco
!
interface Loopback0
ip address 200.200.200.200 255.255.255.0
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 10.10.10.254 255.255.255.0
ip access-group 110 in
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0/0
ip address 1.1.1.2 255.255.255.252
ip access-group 110 out
!
interface Serial0/0/1
no ip address
shutdown
clock rate 2000000
!
router rip
version 2
network 1.0.0.0
network 10.0.0.0
network 200.200.200.0
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route 30.30.30.0 255.255.255.0 Serial0/0/0
!
access-list 110 permit tcp host 10.10.10.11 host 20.20.20.20 eq www
access-list 110 permit tcp host 10.10.10.22 host 20.20.20.20 eq www
access-list 110 permit tcp host 30.30.30.11 host 20.20.20.20 eq www
access-list 110 permit tcp host 30.30.30.22 host 20.20.20.20 eq www
access-list 110 permit tcp host 10.10.10.22 host 20.20.20.20 eq ftp
access-list 110 permit tcp host 30.30.30.22 host 20.20.20.20 eq ftp
access-list 110 permit icmp host 10.10.10.11 host 20.20.20.20 echo
access-list 110 permit icmp host 10.10.10.22 host 20.20.20.20 echo
access-list 110 permit icmp host 30.30.30.11 host 20.20.20.20 echo
access-list 110 permit icmp host 30.30.30.22 host 20.20.20.20 echo
access-list 110 deny icmp host 20.20.20.20 any echo
access-list 110 permit icmp host 10.10.10.11 host 30.30.30.11 echo
access-list 110 permit icmp host 30.30.30.11 host 10.10.10.11 echo
access-list 110 permit tcp host 10.10.10.11 host 100.100.100.100 eq telnet
access-list 110 permit tcp host 10.10.10.22 host 100.100.100.100 eq telnet
access-list 110 permit tcp host 30.30.30.11 host 100.100.100.100 eq telnet
access-list 110 permit tcp host 30.30.30.22 host 100.100.100.100 eq telnet
access-list 110 permit tcp host 10.10.10.11 host 200.200.200.200 eq telnet
access-list 110 permit tcp host 10.10.10.22 host 200.200.200.200 eq telnet
access-list 110 permit tcp host 30.30.30.11 host 200.200.200.200 eq telnet
access-list 110 permit tcp host 30.30.30.22 host 200.200.200.200 eq telnet
access-list 110 permit tcp host 10.10.10.11 host 20.20.20.20 eq 22
access-list 110 permit tcp host 10.10.10.22 host 20.20.20.20 eq 22
access-list 110 permit tcp host 30.30.30.11 host 20.20.20.20 eq 22
access-list 110 permit tcp host 30.30.30.22 host 20.20.20.20 eq 22
access-list 110 deny ip any any
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 5
password cisco
login
transport input all
!
scheduler allocate 20000 1000
end
IPSEC
R1
conf t
int f0/1
ip add 172.16.5.1 255.255.255.0
no shut
exit
int s1/0
ip add 137.23.193.2 255.255.255.252
clock rate 64000
no shut
exit
ip route 0.0.0.0 0.0.0.0 137.23.193.1
router ospf 1
network 137.23.193.0 0.0.0.3 area 0
exit
access-list 110 permit ip 172.16.5.0 0.0.0.255 192.168.2.0 0.0.0.255
crypto isakmp policy 10
encryption aes
authentication pre-share
group 2
exit
crypto isakmp key cisco address 189.100.29.2
crypto ipsec transform-set VPN-SET esp-3des esp-sha-hmac
crypto map VPN-MAP 10 ipsec-isakmp
description VPN connection to R4
set peer 189.100.29.2
set transform-set VPN-SET
match address 110
exit
interface s1/0
crypto map VPN-MAP
R4
conf t
int s1/0
ip add 189.100.29.2 255.255.255.252
no shut
exit
int f0/1
ip add 192.168.2.1 255.255.255.0
no shut
exit
ip route 0.0.0.0 0.0.0.0 189.100.29.1
router ospf 1
network 189.100.29.0 0.0.0.3 area 0
exit
access-list 110 permit ip 192.168.2.0 0.0.0.255 172.16.5.0 0.0.0.255
crypto isakmp policy 10
encryption aes
authentication pre-share
group 2
exit
crypto isakmp key cisco address 137.23.193.2
crypto ipsec transform-set VPN-SET esp-3des esp-sha-hmac
crypto map VPN-MAP 10 ipsec-isakmp
description VPN connection to R1
set peer 137.23.193.2
set transform-set VPN-SET
match address 110
exit
interface s1/0
crypto map VPN-MAP
GRE
HQ(config)#interface tunnel 1
HQ(config-if)#tunnel source fastEthernet 0/0
HQ(config-if)#tunnel destination 192.168.23.3
HQ(config-if)#ip address 192.168.13.1 255.255.255.0
Branch(config)#interface tunnel 1
Branch(config-if)#tunnel source fastEthernet 0/0
Branch(config-if)#tunnel destination 192.168.12.1
Branch(config-if)#ip address 192.168.13.3 255.255.255.0