version 16.6 service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec service timestamps log datetime msec service password-encryption service sequence-numbers service unsupported-transceiver platform qfp utilization monitor load 80 no platform punt-keepalive disable-kernel-core ! hostname REMOTE1-Cent-rtr ! boot-start-marker boot-end-marker ! ! vrf definition Mgmt-intf ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! security authentication failure rate 3 log logging buffered 2048000 informational ! aaa new-model ! ! aaa authentication login default local aaa authorization exec default local ! ! ! ! ! ! aaa session-id common ! no ip bootp server ip name-server 8.8.8.8 ip domain name cent.remote1.local ! ! ! login block-for 60 attempts 3 within 60 login on-failure log login on-success log ! ! ! ! ! ! ! subscriber templating ! ! ! ! ! ! ! multilink bundle-name authenticated ! ! ! ! ! ! license udi pid ISR4331/K9 sn FLMXXXXXXXX diagnostic bootup level minimal spanning-tree extend system-id ! ! ! ! redundancy mode none ! ! ! ! ! ! no cdp run ! ! ! ! ! ! ! crypto isakmp policy 10 encr aes 256 authentication pre-share group 14 lifetime 28800 crypto isakmp key address 172.19.1.2 no-xauth crypto isakmp keepalive 30 9 periodic crypto isakmp nat keepalive 20 ! crypto ipsec security-association lifetime seconds 28800 ! crypto ipsec transform-set AES256_SHA_TUNNEL_MODE esp-aes 256 esp-sha-hmac mode tunnel ! ! ! crypto map CRYPTO_MAP local-address Loopback0 crypto map CRYPTO_MAP 1 ipsec-isakmp set peer 172.19.1.2 set transform-set AES256_SHA_TUNNEL_MODE set pfs group14 match address TO_HQ ! ! ! ! ! ! ! ! interface Loopback0 description VPN INTERFACE ip address 10.39.31.1 255.255.255.0 ip nat inside ! interface GigabitEthernet0/0/0 description PROVIDER LINK ip address 10.170.241.238 255.255.255.0 ip nat outside ip access-group WAN_FIREWALL in negotiation auto crypto map CRYPTO_MAP ! interface GigabitEthernet0/0/1 description LAN ip address 10.39.0.1 255.255.255.0 ip nat inside ip tcp adjust-mss 1300 negotiation auto ! interface GigabitEthernet0/0/2 no ip address no ip redirects no ip unreachables no ip proxy-arp ip nat outside shutdown negotiation auto ! interface GigabitEthernet0 vrf forwarding Mgmt-intf no ip address shutdown negotiation auto ! ip nat log translations syslog ip nat inside source static udp 10.39.31.1 500 10.170.241.238 500 extendable ip nat inside source static udp 10.39.31.1 4500 10.170.241.238 4500 extendable ip nat inside source static tcp 10.39.0.224 2222 10.170.241.238 2222 extendable ip nat inside source route-map NONAT_LAN interface GigabitEthernet0/0/0 overload ip forward-protocol nd no ip http server no ip http secure-server ip dns server ip route 0.0.0.0 0.0.0.0 10.170.241.1 ! ip ssh authentication-retries 2 ip ssh version 2 ! ! ip access-list extended NAT deny ip 10.39.0.0 0.0.0.255 10.254.5.0 0.0.0.255 deny ip 10.39.31.0 0.0.0.255 10.254.5.0 0.0.0.255 permit ip 10.39.31.0 0.0.0.255 any permit ip 10.39.0.0 0.0.0.255 any ip access-list extended TO_HQ permit ip 10.39.0.0 0.0.0.255 10.254.5.0 0.0.0.255 ip access-list extended WAN_FIREWALL permit udp host 172.19.1.2 host 10.170.241.238 eq isakmp permit udp host 172.19.1.2 host 10.170.241.238 eq non500-isakmp permit esp host 172.19.1.2 host 10.170.241.238 permit tcp host 172.19.1.2 host 10.170.241.238 eq 22 permit tcp any host 10.170.241.238 eq 2222 permit udp host 8.8.8.8 eq domain host 10.170.241.238 permit tcp any eq 587 host 10.170.241.238 permit icmp any host 10.170.241.238 access-list 101 permit esp any any access-list 101 deny tcp any eq 22 any access-list 101 deny tcp any any eq 22 access-list 101 permit ip host 172.19.1.2 any access-list 101 permit ip any host 172.19.1.2 ! ! route-map NONAT_LAN permit 1 match ip address NAT ! ! ! ! ! control-plane ! ! line con 0 logging synchronous transport input none stopbits 1 line aux 0 stopbits 1 line vty 0 4 privilege level 15 logging synchronous transport input ssh transport output ssh ! ntp master ntp server 10.254.5.1 source GigabitEthernet0/0/1 wsma agent exec ! wsma agent config ! wsma agent filesys ! wsma agent notify ! ! end ********************************** #sh ip nat trans Pro Inside global Inside local Outside local Outside global tcp 10.170.241.238:2222 10.39.0.224:2222 --- --- udp 10.170.241.238:4500 10.39.31.1:4500 --- --- udp 10.170.241.238:500 10.39.31.1:500 --- --- udp 10.170.241.238:4500 10.39.31.1:4500 172.19.1.2:4500 172.19.1.2:4500 udp 10.170.241.238:500 10.39.31.1:500 172.19.1.2:500 172.19.1.2:500 Total number of translations: 6 #sh crypto isakmp sa detail Codes: C - IKE configuration mode, D - Dead Peer Detection K - Keepalives, N - NAT-traversal T - cTCP encapsulation, X - IKE Extended Authentication psk - Preshared key, rsig - RSA signature renc - RSA encryption IPv4 Crypto ISAKMP SA C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap. 1002 10.39.31.1 172.19.1.2 ACTIVE aes sha psk 14 07:47:34 DN Engine-id:Conn-id = SW:2 IPv6 Crypto ISAKMP SA #SH CRYPTO IPSEC SA DETAIL interface: GigabitEthernet0/0/0 Crypto map tag: CRYPTO_MAP, local addr 10.39.31.1 protected vrf: (none) local ident (addr/mask/prot/port): (10.39.0.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (10.254.5.0/255.255.255.0/0/0) current_peer 172.19.1.2 port 4500 PERMIT, flags={origin_is_acl,} #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #pkts no sa (send) 0, #pkts invalid sa (rcv) 0 #pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0 #pkts invalid prot (recv) 0, #pkts verify failed: 0 #pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0 #pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0 ##pkts replay failed (rcv): 0 #pkts tagged (send): 0, #pkts untagged (rcv): 0 #pkts not tagged (send): 0, #pkts not untagged (rcv): 0 #pkts internal err (send): 0, #pkts internal err (recv) 0 local crypto endpt.: 10.39.31.1, remote crypto endpt.: 172.19.1.2 plaintext mtu 1422, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/0 current outbound spi: 0x3971F24A(963768906) PFS (Y/N): Y, DH group: group14 inbound esp sas: spi: 0x898FC49E(2307900574) transform: esp-256-aes esp-sha-hmac , in use settings ={Tunnel UDP-Encaps, } conn id: 2001, flow_id: ESG:1, sibling_flags FFFFFFFF80000048, crypto map: CRYPTO_MAP sa timing: remaining key lifetime (k/sec): (4608000/28110) IV size: 16 bytes replay detection support: Y Status: ACTIVE(ACTIVE) inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x3971F24A(963768906) transform: esp-256-aes esp-sha-hmac , in use settings ={Tunnel UDP-Encaps, } conn id: 2002, flow_id: ESG:2, sibling_flags FFFFFFFF80000048, crypto map: CRYPTO_MAP sa timing: remaining key lifetime (k/sec): (4607999/28110) IV size: 16 bytes replay detection support: Y Status: ACTIVE(ACTIVE) outbound ah sas: outbound pcp sas: