From: zen39712@zen.co.uk   
      
   OK --   
      
   I have a Cisco 800 Dsl router with a site to site VPN that work fine. I also   
   have remote   
   access to the nework behind the IOS through a cisco vpn client v. 4.6.   
   What I now need is to setup access to another remote network with the   
   Checkpoint   
   SecurRemote VPN client from inside my home network. Below is the config of   
   my home network   
   the Checkpoint client is on 10.100.200.10 255.255.255.224. I have 8 Public   
   Ip addresses from my ISP   
   and only use the one with NAT.   
      
   Please could someone help me with a explanation on how to go about this !!!   
      
   HOUSTON#show conf   
   Using 4426 out of 131072 bytes   
   !   
   version 12.3   
   no service pad   
   service timestamps debug datetime msec   
   service timestamps log datetime msec   
   service password-encryption   
   !   
   hostname HOUSTON   
   !   
   boot-start-marker   
   boot-end-marker   
   !   
   enable secret !   
   username dogma pass   
   aaa new-model   
   !   
   !   
   aaa authentication login userauthen local   
   aaa authorization network client3000 local   
   aaa session-id common   
   ip subnet-zero   
   !   
   !   
   !   
   !   
   ip domain name simian.com   
   ip inspect name in2out rcmd   
   ip inspect name in2out ftp   
   ip inspect name in2out tftp   
   ip inspect name in2out tcp timeout 43200   
   ip inspect name in2out http   
   ip inspect name in2out udp   
   ip ips po max-events 100   
   no ftp-server write-enable   
   !   
   !   
   !   
   !   
   !   
   crypto isakmp policy 10   
    encr 3des   
    authentication pre-share   
    group 2   
   crypto isakmp key test321 address 212.100.100.3   
   crypto isakmp key test123 address 80.100.100.10   
   !   
   crypto isakmp client configuration group client3000   
    key user@test1234user   
    dns 10.100.200.11   
    domain simian.com   
    pool ippool   
    acl 101   
   crypto isakmp profile VPNclient   
      match identity group client3000   
      client authentication list userauthen   
      isakmp authorization list client3000   
      client configuration address respond   
   !   
   !   
   crypto ipsec transform-set vpn-trans esp-3des esp-sha-hmac   
    mode transport   
   !   
   crypto ipsec profile test123   
    set security-association lifetime seconds 1800   
   !   
   !   
   crypto dynamic-map dynmap 10   
    set transform-set vpn-trans   
    set isakmp-profile VPNclient   
    reverse-route   
   !   
   !   
   crypto map dynmap 1 ipsec-isakmp dynamic dynmap   
   crypto map dynmap 10 ipsec-isakmp   
    set peer 212.100.100.3   
    set transform-set vpn-trans   
    set pfs group2   
    match address 111   
   crypto map dynmap 20 ipsec-isakmp   
    set peer 80.100.100.10   
    set transform-set vpn-trans   
    set pfs group2   
    match address 115   
   !   
   !   
   !   
   interface Ethernet0   
    ip address 10.100.200.1 255.255.255.224   
    ip nat inside   
    ip virtual-reassembly   
    no ip mroute-cache   
    fair-queue   
    no cdp enable   
    hold-queue 100 out   
   !   
   interface ATM0   
    no ip address   
    atm vc-per-vp 64   
    no atm ilmi-keepalive   
    dsl operating-mode auto   
    pvc 0/38   
     encapsulation aal5mux ppp dialer   
     dialer pool-member 1   
    !   
   !   
   interface FastEthernet1   
    no ip address   
    duplex auto   
    speed auto   
   !   
   interface FastEthernet2   
    no ip address   
    duplex auto   
    speed auto   
   !   
   interface FastEthernet3   
    no ip address   
    duplex auto   
    speed auto   
   !   
   interface FastEthernet4   
    no ip address   
    duplex auto   
    speed auto   
   !   
   interface Dialer0   
    ip address negotiated   
    ip access-group 121 in   
    ip nat outside   
    ip inspect in2out out   
    ip virtual-reassembly   
    encapsulation ppp   
    dialer pool 1   
    dialer enable-timeout 2   
    dialer-group 1   
    fair-queue   
    ppp authentication chap callin   
    ppp chap hostname ****   
    ppp chap password ***   
    crypto map dynmap   
    hold-queue 224 in   
   !   
   ip local pool ippool 192.168.1.200 192.168.1.210   
   ip classless   
   ip route 0.0.0.0 0.0.0.0 Dialer0   
   !   
   no ip http server   
   no ip http secure-server   
   ip nat inside source route-map nonat interface Dialer0 overload   
   ip nat inside source static 10.100.200.10 212.100.10.51   
   !   
   access-list 100 deny   ip 10.100.200.0 0.0.0.31 10.10.10.0 0.0.0.255   
   access-list 100 deny   ip 10.100.200.0 0.0.0.31 10.240.0.0 0.0.255.255   
   access-list 100 deny   ip 10.100.200.0 0.0.0.31 145.227.178.0 0.0.0.255   
   access-list 100 permit ip 10.100.200.0 0.0.0.31 any   
   access-list 101 permit ip 192.168.1.0 0.0.0.255 10.100.200.0 0.0.0.31   
   access-list 101 permit ip 10.100.200.0 0.0.0.31 192.168.1.0 0.0.0.255   
   access-list 103 deny   ip 10.100.200.0 0.0.0.31 10.10.10.0 0.0.0.255   
   access-list 103 deny   ip 10.100.200.0 0.0.0.31 10.240.0.0 0.0.255.255   
   access-list 103 deny   ip 10.100.200.0 0.0.0.31 145.227.178.0 0.0.0.255   
   access-list 103 deny   ip 10.100.200.0 0.0.0.31 192.168.1.0 0.0.0.255   
   access-list 103 permit ip 10.100.200.0 0.0.0.31 any   
   access-list 103 permit ip 192.168.1.0 0.0.0.31 any   
   access-list 111 permit ip 10.100.200.0 0.0.0.31 10.240.0.0 0.0.255.255   
   access-list 111 permit ip 10.100.200.0 0.0.0.31 145.227.178.0 0.0.0.255   
   access-list 115 permit ip 10.100.200.0 0.0.0.31 10.10.10.0 0.0.0.255   
   dialer-list 1 protocol ip permit   
   route-map nonat permit 10   
    match ip address 103   
   !   
   !   
   control-plane   
   !   
   !   
   line con 0   
   line aux 0   
    transport preferred ssh   
    stopbits 1   
   line vty 0 4   
    transport input ssh   
   !   
   scheduler max-task-time 5000   
   end   
      
      
      
      
   Y.   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)