service password-encryption
hostname katowice_3640
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
 lifetime 3600

crypto isakmp key qwerty1234CXZ address 83.19.73.234
crypto ipsec transform-set VPN_TRANSFORM esp-3des esp-sha-hmac

crypto map VPN_MAP 1 ipsec-isakmp
 set peer 83.19.73.234
 set transform-set VPN_TRANSFORM
 set pfs group2
 match address 100

! interface czcy router z internetem 
interface Ethernet2/0
 ip address 91.192.0.182 255.255.255.240
 ip nat outside
 crypto map VPN_MAP


interface Ethernet2/1
 ! interface czcy router z sieci LAN 
 ip address 192.168.150.1 255.255.255.0
 ip nat inside

! wskazanie listy, ktra kontroluje NAT-a (dostp do internetu)
ip nat inside source list 101 interface Ethernet2/0 overload

! ustawienie domylnej bramy  - router ISP.
ip route 0.0.0.0 0.0.0.0 91.192.0.177

! lista nr 100 definiuje, pomidzy jakimi adresami bdzie uywany tunel ipsec
access-list 100 permit ip 192.168.150.128 0.0.0.127 192.168.200.128 0.0.0.127

! lista nr 101 okrela dostp do NAT-a. Zwr uwag na pierwszy wpis blokujcy.
access-list 101 deny   ip 192.168.150.128 0.0.0.127 192.168.200.128 0.0.0.127
access-list 101 permit ip 192.168.150.0 0.0.0.255 any
