version 15.2 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! ! no logging console ! aaa new-model ! ! aaa authentication login ClientAUTH local aaa authorization network GroupAUTHOR local ! ! ! ! ip cef ! ! ! ! ! ! no ip domain lookup ip domain name XXXXXXXXXX ip inspect name FW tcp ip inspect name FW udp ip inspect name FW icmp ip inspect name FW ftp no ipv6 cef ! multilink bundle-name authenticated ! redundancy ! ! ! ! ! ip ssh time-out 60 ip ssh authentication-retries 2 ! class-map match-any business match protocol ipsec match protocol sqlserver match protocol telnet match protocol ssh match protocol netbios class-map match-any internet match protocol http match protocol secure-http match protocol ftp match protocol secure-ftp class-map match-all Voice-RTP match access-group 102 class-map match-all Voice-Control match access-group 103 class-map match-any email match protocol pop3 match protocol smtp match protocol imap match protocol secure-imap match protocol secure-pop3 class-map match-any voice match protocol skinny match protocol h323 match protocol sip match protocol rtp match dscp ef match dscp af31 match dscp cs3 ! policy-map VOIPQOS class Voice-RTP priority 1000 class Voice-Control bandwidth 16 class class-default fair-queue ! ! ! crypto isakmp policy 10 encr 3des authentication pre-share group 2 ! crypto isakmp policy 20 encr aes authentication pre-share group 5 ! crypto isakmp policy 30 encr 3des authentication pre-share group 2 lifetime 28800 crypto isakmp key xxxxxxxxxxxxxxxxxxxxxxx no-xauth crypto isakmp key xxxxxxx crypto isakmp invalid-spi-recovery ! crypto isakmp client configuration group 3000client key xxxxxxxxxxxx dns xxxxxxxxxxxxxxxxxxxxxx domain xxxxxxxxx pool Pool-VPNClient acl ACL-VPNClients ! crypto isakmp client configuration group HardwareClient key xxxxxxxxx domain xxxxxxxxx pool Pool-VPNClient acl ACL-VPNClients save-password ! crypto isakmp client configuration group dcs-remote-users key xxxxxxxxxxx dns xxxxxxxxxxxxxx domain xxxxxxxxxxx pool Pool-VPNClient acl ACL-VPNClients crypto isakmp profile VPNClient description VPN Clients Profile match identity group 3000client match identity group HardwareClient client authentication list ClientAUTH isakmp authorization list GroupAUTHOR client configuration address respond ! ! crypto ipsec transform-set myset1 esp-3des esp-sha-hmac mode tunnel crypto ipsec transform-set myset2 esp-3des esp-sha-hmac mode tunnel crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac mode tunnel ! ! ! crypto dynamic-map dynmap 5 set transform-set myset1 set isakmp-profile VPNClient qos pre-classify ! ! crypto map VPNXAuth 1 ipsec-isakmp set peer xxxxxxxxxxxx set transform-set myset2 match address xxxxxxxxx qos pre-classify crypto map xxxxxxx 65535 ipsec-isakmp dynamic dynmap ! ! ! ! ! interface Loopback0 ip address xxxxxxxxxxx ! interface Embedded-Service-Engine0/0 no ip address ! interface GigabitEthernet0/0 ip address xxxxxxxxxxxx ip nat inside ip virtual-reassembly in ip policy route-map xxxxxxxxxxxxx-internet-map duplex auto speed auto service-policy output VOIPQOS ! interface GigabitEthernet0/1 ip address xxxxxxxxxxxxxxxx ip access-group 106 in ip nat outside ip virtual-reassembly in duplex auto speed 1000 ! interface GigabitEthernet0/2 ip address xxxxxxxxxxxxxxx ip access-group 105 in ip nat outside ip virtual-reassembly in duplex auto speed auto crypto map VPNXAuth ! ip local pool Pool-VPNClient xxxxxxxxxxxxxx ip local policy route-map xxxxxxx-internet-map ip forward-protocol nd ! no ip http server ip http access-class 23 ip http authentication local no ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ! ip nat translation tcp-timeout 300 ip nat inside source route-map natmap1 interface GigabitEthernet0/1 overload ip nat inside source route-map natmap2 interface GigabitEthernet0/2 overload ip route 0.0.0.0 0.0.0.0 xxxxxxxxxx ip route 10.0.0.0 255.255.255.0 xxxxxxxxx ip route 10.40.172.0 255.255.255.0 xxxxxxxxxx ip route 10.100.172.0 255.255.255.0 xxxxxxxxxx ip route xxxxxxxxxxx 255.255.255.0 xxxxxxxxxxx ip route xxxxxxxxxxx 255.255.255.0 xxxxxxxxxxxx ! ip access-list extended ACL-VPNClients remark ACL Easy VPN Server permit ip xxxxxxxxxxxx 0.0.0.255 any permit ip 10.100.172.0 0.0.0.255 any permit ip xxxxxxxxxx 0.0.0.255 any permit ip 10.0.0.0 0.255.255.255 any permit ip xxxxxxxxx 0.0.0.255 any permit ip host xxxxxxxx any permit ip xxxxxxxxxxx 0.0.0.255 any ip access-list extended ACL-VPNSite-to-Site permit ip host xxxxxxx host xxxxxxxxxx permit ip 10.100.172.0 0.0.0.255 xxxxxx 0.0.0.255 permit ip 10.100.172.0 0.0.0.255 xxxxxxx 0.0.0.63 permit ip xxxxxxxxxx 0.0.0.255 xxxxxxxxx 0.0.0.255 permit ip 10.0.0.0 0.0.0.255 xxxxxxxxxxxxx 0.0.0.255 permit ip xxxxxxx 0.0.0.255 xxxxxxxxxx 0.0.0.15 permit ip xxxxxxxxxxxxx 0.0.0.15 xxxxxxxx 0.0.0.255 ip access-list extended CAP-FILTER permit ip host xxxxxxxxx host xxxxxxxxxx permit ip host xxxxxxxxxxx host xxxxxxxxxxx ! ip sla auto discovery ip sla 1 icmp-echo xxxxxxxxxxx source-ip xxxxxxxxxxxx frequency 400 access-list 1 permit any access-list 100 remark Deny NAT to ISP Network access-list 100 deny ip xxxxxxxxxxxx 0.0.0.15 any access-list 100 remark Deny NAT to VPN Clients access-list 100 deny ip 10.100.172.0 0.0.0.255 xxxxxxxxx 0.0.0.255 access-list 100 deny ip xxxxxxxxxx 0.0.0.255 xxxxxxxx 0.0.0.255 access-list 100 deny ip xxxxxxxxxxx 0.0.0.255 xxxxxxxxxx 0.0.0.255 access-list 100 remark Deny NAT to EZVPN Tunnel access-list 100 deny ip 10.100.172.0 0.0.0.255 xxxxxxxx 0.0.0.255 access-list 100 deny ip 10.100.172.0 0.0.0.255 xxxxxxxx 0.0.0.63 access-list 100 deny ip 10.0.0.0 0.0.0.255 xxxxxxxxxxxxx 0.0.0.255 access-list 100 deny ip xxxxxxxxx 0.0.0.255 xxxxxxxxxxx 0.0.0.255 access-list 100 deny ip xxxxxxxxxxx 0.0.0.255 xxxxxxxxxx 0.0.0.15 access-list 100 deny ip any any access-list 100 permit ip any any access-list 102 permit ip any any precedence critical access-list 102 permit ip any any dscp ef access-list 102 permit udp any any range 16384 32776 access-list 103 permit tcp any any range 2000 2002 access-list 103 permit tcp any any eq 2428 access-list 103 permit udp any any eq 2427 access-list 103 permit tcp any any eq 1720 access-list 105 permit ip any any access-list 106 deny tcp any any eq telnet access-list 106 permit icmp any host xxxxxxxxxxxxxx access-list 106 deny icmp any any echo access-list 106 permit ip any any access-list 110 permit tcp any host xxxxxxxxxxx eq 1723 access-list 110 permit tcp any host xxxxxxxxxxxxx eq 22 access-list 110 permit esp any host xxxxxxxxxxxxx access-list 110 permit udp any host xxxxxxxxxxxxx eq isakmp access-list 110 permit udp any host xxxxxxxxxxxxx eq non500-isakmp access-list 110 permit tcp any host xxxxxxxxxxxxx eq www access-list 110 permit tcp any host xxxxxxxxxxxxx eq 443 access-list 110 permit gre any host xxxxxxxxxx access-list 111 deny ip host xxxxxxxxxx host xxxxxxxxxxxx access-list 111 deny ip 10.100.172.0 0.0.0.255 xxxxxxxxxxxxx 0.0.0.255 access-list 111 deny ip 10.100.172.0 0.0.0.255 xxxxxxxxxxxxx 0.0.0.63 access-list 111 deny ip xxxxxxxxxxxxx 0.0.0.255 xxxxxxxxxxxxx 0.0.0.255 access-list 111 deny ip 10.0.0.0 0.0.0.255 xxxxxxxxxxxxx 0.0.0.255 access-list 111 deny ip xxxxxxxxxxxxx 0.0.0.255 xxxxxxxxxxxx 0.0.0.15 access-list 111 deny ip any xxxxxxxxxxxxx 0.0.0.255 access-list 111 deny ip 10.40.172.0 0.0.0.255 10.100.172.0 0.0.0.255 access-list 111 deny ip 10.40.172.0 0.0.0.255 xxxxxxxxxxxxx 0.0.0.255 access-list 111 deny ip 10.40.172.0 0.0.0.255 xxxxxxxxxxxxx 0.0.0.255 access-list 111 permit ip 10.100.172.0 0.0.0.255 any access-list 111 permit ip xxxxxxxxxxxxx 0.0.0.255 any access-list 111 permit ip 10.0.0.0 0.0.0.255 any access-list 111 permit ip 10.200.178.0 0.0.0.255 any access-list 111 permit ip 10.40.172.0 0.0.0.255 any access-list 112 deny ip host xxxxxxxxxxxxx host xxxxxxxxxxxx access-list 112 deny ip 10.100.172.0 0.0.0.255 xxxxxxxxxxxxx 0.0.0.255 access-list 112 deny ip 10.100.172.0 0.0.0.255 xxxxxxxxxxxxx 0.0.0.63 access-list 112 deny ip xxxxxxxxxxxxx 0.0.0.255 xxxxxxxxxxxxx 0.0.0.255 access-list 112 deny ip 10.0.0.0 0.0.0.255 xxxxxxxxxxxxx 0.0.0.255 access-list 112 deny ip xxxxxxxxxxxxx 0.0.0.255 xxxxxxxxxxx 0.0.0.15 access-list 112 deny ip xxxxxxxxxxxxx 0.0.0.255 xxxxxxxxxxxxx 0.0.0.255 access-list 112 deny ip 10.100.172.0 0.0.0.255 10.100.175.0 0.0.0.255 access-list 112 deny ip any xxxxxxxxxxxxx 0.0.0.255 access-list 112 deny ip 10.40.172.0 0.0.0.255 10.100.172.0 0.0.0.255 access-list 112 deny ip 10.40.172.0 0.0.0.255 xxxxxxxxxxxxx 0.0.0.255 access-list 112 deny ip 10.40.172.0 0.0.0.255 xxxxxxxxxxxxx 0.0.0.255 access-list 112 permit ip xxxxxxxxxxxxx 0.0.0.255 any access-list 112 permit ip xxxxxxxxxxxxx 0.0.0.255 any access-list 112 permit ip 10.0.0.0 0.255.255.255 any access-list 112 permit ip 10.40.172.0 0.0.0.255 any access-list 121 deny ip 10.0.0.0 0.255.255.255 any access-list 121 deny ip xxxxxxxxxx 0.0.255.255 any access-list 121 deny ip xxxxxxxxxxx 0.0.255.255 any access-list 121 permit tcp any eq www any access-list 121 permit tcp any eq 443 any access-list 121 permit tcp any eq smtp any access-list 121 permit tcp any any eq smtp access-list 121 permit tcp any eq pop3 any access-list 121 permit tcp any eq 143 any access-list 121 permit tcp any eq 993 any access-list 121 deny ip any any log access-list 122 deny ip 10.100.172.0 0.0.0.255 xxxxxxxxxxxxx 0.0.0.255 access-list 122 deny ip 10.100.172.0 0.0.0.255 xxxxxxxxxxxxx 0.0.0.63 access-list 122 deny ip xxxxxxxxxxxxx 0.0.0.255 xxxxxxxxxxxxx 0.0.0.255 access-list 122 deny ip 10.0.0.0 0.0.0.255 xxxxxxxxxxxxx 0.0.0.255 access-list 122 deny ip xxxxxxxxxxxxx 0.0.0.255 xxxxxxxxx 0.0.0.15 access-list 122 deny ip any xxxxxxxxxx 0.0.0.255 access-list 122 deny ip xxxxxxxxxxxxx 0.0.0.255 xxxxxxxxxxxxx 0.0.0.255 access-list 122 deny ip 10.100.172.0 0.0.0.255 10.100.175.0 0.0.0.255 access-list 122 deny ip 10.40.172.0 0.0.0.255 10.100.175.0 0.0.0.255 access-list 122 deny ip 10.40.172.0 0.0.0.255 10.100.172.0 0.0.0.255 access-list 122 deny ip 10.40.172.0 0.0.0.255 xxxxxxxxxxxxx 0.0.0.255 access-list 122 deny ip 10.40.172.0 0.0.0.255 10.0.0.0 0.0.0.255 access-list 122 permit ip xxxxxxxxxxxxx 0.0.0.255 any access-list 122 permit ip 10.100.172.0 0.0.0.255 any access-list 122 permit ip xxxxxxxxxxxxx 0.0.0.255 any access-list 122 permit ip 10.0.0.0 0.0.0.255 any access-list 122 permit ip 10.40.172.0 0.0.0.255 any ! route-map xxxxxxxxxxxxx-internet-map permit 10 match ip address 122 set ip next-hop xxxxxxxxxxxx set interface GigabitEthernet0/1 ! route-map internet permit 10 match ip address 100 ! route-map natmap2 permit 10 match ip address 112 match interface GigabitEthernet0/2 ! route-map natmap1 permit 10 match ip address 111 match interface GigabitEthernet0/1 !