!
version 15.2
service config
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Test
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
!
!
!
!
!
ip dhcp pool Test
 network 192.168.50.0 255.255.255.0
 dns-server 8.8.8.8 8.8.4.4 
 default-router 192.168.50.1 
!
!
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
object-group network IPSECVPN-PUBLIC-IPS_GROUP 
 description Public IP Addresses for third party VPN Tunnels
 host ***.***.***.***
!
vtp mode transparent
!
!
!
!
!
vlan 5 
!
vlan 10
 name DATA
!
vlan 20
 name WIRELESS
!
vlan 55
 name LAN
!
vlan 99
 name GUEST
!
no ip ftp passive
!
class-map type inspect match-all MANAGEMENT_CLASS
 match access-group name MANAGEMENT_ACL
class-map type inspect match-all LAN-TO-WAN_CLASS
 match access-group name LAN-TO-WAN_ACL
class-map type inspect match-all WAN-TO-LAN_CLASS
 match access-group name WAN-TO-LAN_ACL
class-map type inspect match-all IPSECVPN_CLASS
 match access-group name IPSECVPN-PUBLIC-IPS_ACL
class-map type inspect match-any PERMIT-IP_CLASS
 match access-group name PERMIT-IP_ACL
class-map type inspect match-all WAN-TO-SELF_CLASS
 match access-group name WAN-TO-SELF_ACL
class-map type inspect match-all SELF-TO-WAN_CLASS
 match access-group name SELF-TO-WAN_ACL
!
!
policy-map type inspect SELF-TO-WAN_POLICY
 class type inspect SELF-TO-WAN_CLASS
  pass log
 class class-default
  drop log
policy-map type inspect WAN-TO-SELF_POLICY
 class type inspect WAN-TO-SELF_CLASS
  pass log
 class type inspect IPSECVPN_CLASS
  pass log
 class type inspect MANAGEMENT_CLASS
  inspect 
 class type inspect LAN-TO-WAN_CLASS
 class class-default
  drop log
policy-map type inspect LAN-TO-WAN_POLICY
 class type inspect LAN-TO-WAN_CLASS
  inspect 
 class class-default
  drop log
policy-map type inspect WAN-TO-LAN_POLICY
 class type inspect WAN-TO-LAN_CLASS
  inspect 
 class class-default
  drop log
!
zone security LAN
zone security WAN
zone-pair security LAN-TO-WAN source LAN destination WAN
 service-policy type inspect LAN-TO-WAN_POLICY
zone-pair security WAN-TO-SELF source WAN destination self
 service-policy type inspect WAN-TO-SELF_POLICY
zone-pair security SELF-TO-WAN source self destination WAN
 service-policy type inspect SELF-TO-WAN_POLICY
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key ************ address ***.***.***.*** 
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac 
!
!
!
crypto map CMAP 10 ipsec-isakmp 
 set peer ***.***.***.***
 set transform-set TS 
 match address VPN-TRAFFIC
!
!
!
!
!

interface FastEthernet5
 switchport access vlan 99
 switchport trunk native vlan 99
 no ip address
 no cdp enable
 
!
interface GigabitEthernet0
 ip address dhcp
 ip nat outside
 ip virtual-reassembly in
 zone-member security WAN
 duplex auto
 speed auto
 no cdp enable
 crypto map CMAP
!
interface Vlan1
 shutdown
!
interface Vlan99
 ip address 192.168.50.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 zone-member security LAN
!
interface Async1
 no ip address
 encapsulation slip
!
!
router eigrp 10
 network 10.190.200.0 0.0.0.255
 network 192.168.50.0
!
no ip http server
ip http authentication local
ip http secure-server
ip forward-protocol nd
!
!
ip nat inside source list 100 interface GigabitEthernet0 overload
ip nat inside source list NAT-INSIDE_ACL interface GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 dhcp
!
ip access-list extended IPSECVPN-PUBLIC-IPS_ACL
 permit ip object-group IPSECVPN-PUBLIC-IPS_GROUP any
ip access-list extended LAN-TO-WAN_ACL
 permit ip 192.168.50.0 0.0.0.255 any
ip access-list extended MANAGEMENT_ACL
 permit tcp any any eq 22
 permit tcp any any eq 443
 permit icmp any any
ip access-list extended NAT-INSIDE_ACL
 permit ip 192.168.50.0 0.0.0.255 any
 deny   ip 192.168.50.0 0.0.0.255 10.50.200.0 0.0.0.255
ip access-list extended SELF-TO-WAN_ACL
 permit udp any any eq bootps
 permit udp any any eq ntp
 permit ip any object-group IPSECVPN-PUBLIC-IPS_GROUP
 permit ip host ***.***.***.*** any
ip access-list extended VPN-TRAFFIC
 permit ip 192.168.50.0 0.0.0.255 10.190.200.0 0.0.0.255
ip access-list extended WAN-TO-LAN_ACL
 permit ip 10.190.200.0 0.0.0.255 192.168.50.0 0.0.0.255
ip access-list extended WAN-TO-SELF_ACL
 permit ip 10.190.200.0 0.0.0.255 192.168.50.0 0.0.0.255
 permit udp any any eq bootpc
 permit udp any any eq ntp
!
no cdp run
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
line con 0
 login local
line 1
 modem InOut
 speed 115200
 flowcontrol hardware
line aux 0
line vty 0 4
 login local
 transport input ssh
line vty 5 15
 login local
 transport input telnet ssh
!
ntp server pool.ntp.org prefer
!
end