ip policy route-map LOOPNAT
ip nat inside source list 1 interface Ethernet0 overload
access-list 1 permit 10.0.0.0 0.255.255.255
route-map LOOPNAT permit 10
match ip address 1
set interface Loopback0

Note that Lo0 interface may have any ip address.
******************************************************************
********
From: Question 29
Subject: How do I hide a summarized OSPF router from one ABR to another?
area 1 range x.x.x.x x.x.x.x not-advertise
******************************************************************
********
From: Question 30
Subject: How do I setup Windows 2000 and IPSec to PIX FIrewall
To describe how to use the Local Security Policy MMC in W2K would take a
long time. So, the config I will share with you is the 'dial-up' one I
mentioned before. In this posting I will detail the bare minimum needed to
get a W2K client working with a PIX firewall running v6.01 software. For
simplicity I use a preshared key for authentication. Since I have to embed
this key into the script I use it makes the configuration open and thus
vulnerable. However, you should be able to tweak the configuration from this
to meet your own security needs. The W2K IPSec client supports certificates
as well as preshared keys so a "secure" version of this config is
attainable.
The configuration script I eked (it isn't beautiful code) out is actually written in
Perl. If you would like to re-write it in the old DOS batch file format, please do
so. Otherwise, you should find a copy of Perl for NT/W2K. I use the version

found at . The Perl script I show here is documented as
to what it does. The MS ipsecpol.exe program that you have to use has it's own
documentation which you should read. For the PIX I give you only the crypto,
isakmp, and sysopt commands you need to issue to your PIX to make this config
work. The config assumes that the PIX
has NAT enabled.
Ok, enough blabber, here it is I hope it is helpful
For the purposes of this 'demo' config. The PIX Firewall will have
192.168.0.1 as it's outside IP. The inside network will be the 10.0.X.X
network. The inside router will be 10.0.0.1
Quick Network Schematic:
[W2K] > [Dial-Up WAN adapter (DHCP assigned address)] >
[Internet] >[PIX Firewall(192.168.0.1)] > [Internal LAN
(10.0.X.X)] > [Inside Router (10.0.0.1)]
The PIX firewall commands needed are:
sysopt connection permit-ipsec
sysopt connection permit-l2tp
sysopt ipsec pl-compatible
crypto ipsec transform-set W2K esp-des esp-md5-hmac
crypto ipsec transform-set W2K mode transport
crypto dynamic-map W2KDynamic 11 set transform-set W2K
crypto map W2K-Map 23 ipsec-isakmp dynamic W2KDynamic
crypto map W2K-Map interface outside
isakmp identity address
isakmp key gobbeldygook address 0.0.0.0 netmask 0.0.0.0
isakmp policy 11 authentication pre-share
isakmp policy 11 encryption des
isakmp policy 11 hash md5
isakmp policy 11 group 1
isakmp policy 11 lifetime 28800

isakmp enable outside
The Perl script I wrote is as follows. I execute this script everytime I
establish a connection with my dial-up ISP. It then sets up the IPSec tunnel
using my current ISP assigned IP Address.
#begin listing
# IPSecInit.pl
# Written by: Steven Griffin Jr.
# Date: 6 June, 2001.
# Note: The basis of this code came from the PERL documentation site.
# The original snippets came from the links below.
#
#
# I should put this in POD format at somepoint but I am in a hurry right
now.
use Net::hostent;
use Socket;
#Two Variables: One for the local IP Address and one for the VPN Server
#This script assumes that the VPN Server has a static IP
$localipaddress, $VPNHostIP='192.168.0.1';
#The following section of code discerns the IP address of host provided
#in the command line arguements. The default is the localhost.
#NOTE: The code section is smart and gives you a routable IP (if available)
and not just 127.0.0.1
# This section is pretty much identical to the one found on the PERL
documentation site.
# I just added an assignment of the discerned ipaddress to the
$localipaddress variable.
# I also changed the @ARGV assignment to 'localhost' instead of
'netscape.com'
@ARGV = ('localhost') unless @ARGV;

for $host ( @ARGV ) {
unless ($h = gethost($host)) {
warn "$0: no such host: $host\n";
next;
}
printf "\n%s is %s%s\n",
$host,
lc($h->name) eq lc($host) ? "" : "*really* ",
$h->name;
print "\taliases are ", join(", ", @{$h->aliases}), "\n"
if @{$h->aliases};
if ( @{$h->addr_list} > 1 ) {
my $i;
for $addr ( @{$h->addr_list} ) {
printf "\taddr #%d is [%s]\n", $i++, inet_ntoa($addr);
}
} else {
#my modification is on the next line.
printf "\taddress is [%s]\n", $localipaddress= inet_ntoa($h->addr);
}
if ($h = gethostbyaddr($h->addr)) {
if (lc($h->name) ne lc($host)) {
printf "\tThat addr reverses to host %s
\n", $h->name;
$host = $h->name;
redo;
}
}
}
#This next section is a very modified version of the Ping example on the

Perl Documentation Website.
#Now that we know our IP address, we can setup the IPSec tunnel.
#First we try and ping our VPN server.
use Net::Ping;
$p = Net::Ping->new("icmp");
print "\nCan I see my firewall? ";
if ($p->ping($VPNHostIP) )
{
print "Yes\nAttempting to initialize IPSec Connection";
#Now that we can see our server, lets stop and start the W2K IPSec Policy
Agent.
#This deletes any 'dynamic' IPSec policies that may have been in effect
before.
print "\nResetting IPSec Policy Agent";
$cmdstring='Net Stop "IPSec Policy Agent"';
system($cmdstring);
$cmdstring='Net Start "IPSec Policy Agent"';
system($cmdstring);
#Now we issue the ipsecpol command to setup the tunnel to our VPN Server.
#The ipsecpol command line utility can be found on Microsoft's Website.
#
# or
#

/EN-US/ipsecpol_setup.exe
#MS requires two ipsecpol commands be issued in order to setup a tunnel.
#One for the inbound traffic and one for the outbound traffic.
# For this Tunnel I used the following settings:
# The IPSec filter '-f' is for the 10.0.0.0 255.255.0.0 network to My IP
Address.

# The tunnel setting '-t' is either My IP Address or the VPN Server's IP
Address.
# The security method list '-s' is for DES-MD5-1
# The security negotiation setting '-n' is for ESP[DES,MD5]
# We are using QuickMode key exchange '-1k' rekeys after 10 quick modes
'10q'
# We are using perfect forward secrecy '-1p'
# For authentication we are using a preshared key '-a'
# NOTE: the preshared key must be enclosed in double quotes
# See the documentation of the utility for further details.
print "\nSetup IPSec Tunnel";
#This sets-up the inbound leg of the tunnel. We are filtering all traffic
inbound from 10.0.X.X to our IP address.
#The critical part of this statement is that the -t arguement must contain
our local IP.
$cmdstring = 'ipsecpol -f 10.0.*.*='.$localipaddress.' -t
'.$localipaddress.' -1s DES-MD5-1 -n ESP[DES,MD5] -1k 10q -1p -a
PRESHARE:"gobbeldygook"';
printf "\n%s",$cmdstring;
system($cmdstring);
#This sets-up the outbound leg of the tunnel. We are filtering all
traffic outbound to 10.0.X.X from our IP address.
#The critical part of this statement is that the -t arguement must contain
the VPN Server's IP Address.
$cmdstring = 'ipsecpol -f '.$localipaddress.'=10.0.*.* -t
'.$VPNHostIP.' -1s DES-MD5-1 -n ESP[DES,MD5] -1k 10q -1p -a
PRESHARE:"gobbeldygook"';
printf "\n%s\n",$cmdstring;
system($cmdstring);
#Now that we have issued our commands. We should test the network and see

if we can see inside it.
#The internal router is the easiest target. Here it is 10.0.0.1.
#We first do a ping just so that the IPSec tunnel with negotiate. W2K does
not setup the tunnel
# until you actually try and send traffic to a IPSec filtered IP address.
#Now we do another ping and tell the user what happened.
print "\nTrying to ping internal network: ";
$p->ping("10.0.0.1");
if ($p->ping("10.0.0.1"))
{
print "Success\n";
sleep(1);
} else {
print "Failure\n";
sleep(1);
}
} else {
# If we reach this point, we could not see our VPN Server's external IP
address from our ISP.