boot-start-marker
boot-end-marker
!
!

!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local 
aaa authorization network ciscocp_vpn_group_ml_1 local 
!
!
!
!
!
aaa session-id common
!
ip cef
!
!
!
!


!
ip dhcp excluded-address 192.168.1.1 192.168.1.99
ip dhcp excluded-address 192.168.1.200 192.168.1.254
!
ip dhcp pool MAIN
 network 192.168.1.0 255.255.255.0
 dns-server 8.8.8.8 4.2.2.2 
 default-router 192.168.1.1 
 lease 90 
!
!
!
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip inspect name FIREWALL tcp
ip inspect name FIREWALL udp
ip inspect name FIREWALL ftp
ip inspect name FIREWALL icmp
ip inspect name FIREWALL isakmp
ip inspect name FIREWALL smtp
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!         
redundancy
!
!
!
!
!
! 
!
crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 5
!
crypto isakmp policy 2
 encr aes
 authentication pre-share
 group 2
!
crypto isakmp policy 5
 encr aes
 authentication pre-share
 group 2
crypto isakmp key ************ address 0.0.0.0        
!
crypto isakmp client configuration group VPN-ACCESS-GROUP
 key ******
 dns 8.8.8.8
 pool IPSEC-Pool
 acl 100
 netmask 255.255.255.0
 banner ^C
******************************************************************************
Restricted Access! Only authorized Company personnel are permitted.
****************************************************************************************
^C
crypto isakmp profile ciscocp-ike-profile-1
   match identity group VPN-ACCESS-GROUP
   client authentication list ciscocp_vpn_xauth_ml_1
   isakmp authorization list ciscocp_vpn_group_ml_1
   client configuration address respond
   virtual-template 2
!
!
crypto ipsec transform-set OUR-SET esp-aes 256 esp-sha-hmac 
 mode transport
crypto ipsec transform-set VPN-USER-SET esp-aes esp-sha-hmac 
 mode tunnel
crypto ipsec transform-set TS esp-3des esp-md5-hmac 
 mode tunnel
!
crypto ipsec profile CiscoCP_Profile1
 set security-association idle-time 7200
 set transform-set VPN-USER-SET 
 set isakmp-profile ciscocp-ike-profile-1
!
crypto ipsec profile PROTECT-GRE
 set transform-set OUR-SET 
!
!
!
crypto map CMAP 10 ipsec-isakmp 
 set peer X.X.X.X
 set transform-set TS 
 match address VPN-TRAFFIC
!
!
!
!         
!
interface Loopback1
 ip address 10.10.10.1 255.255.255.0
!
interface Tunnel0
 bandwidth 10000
 ip address 172.16.0.2 255.255.255.0
 no ip redirects
 ip mtu 1400
 no ip next-hop-self eigrp 123
 no ip split-horizon eigrp 123
 ip nhrp authentication ********
 ip nhrp map multicast X.X.X.X
 ip nhrp map 172.16.0.1 X.X.X.X
 ip nhrp network-id 1
 ip nhrp holdtime 360
 ip nhrp nhs 172.16.0.1
 ip nhrp registration no-unique
 ip nhrp shortcut
 ip tcp adjust-mss 1360
 delay 1000
 tunnel source GigabitEthernet0/0
 tunnel mode gre multipoint
 tunnel key *******
 tunnel protection ipsec profile PROTECT-GRE
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description WAN CONNECTION
 ip address dhcp
 ip access-group POLICE in
 ip nat outside
 ip inspect FIREWALL out
 ip virtual-reassembly in
 duplex auto
 speed auto
 no cdp enable
!
interface GigabitEthernet0/1
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface Virtual-Template2 type tunnel
 ip unnumbered Loopback1
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile CiscoCP_Profile1
!
!
router eigrp 123
 network 172.16.0.0
 network 192.168.1.0
 no auto-summary
!
ip local pool IPSEC-Pool 192.168.2.80 192.168.2.89
ip forward-protocol nd
!
ip http server
ip http authentication local
no ip http secure-server
!
ip nat inside source list NAT_CLIENTS interface GigabitEthernet0/0 overload
ip route 10.0.0.0 255.255.255.0 Tunnel0
!
ip access-list extended NAT_CLIENTS
 deny   ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255
 permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended POLICE
 permit udp any any eq non500-isakmp
 permit udp any any eq isakmp
 permit udp any eq isakmp any
 permit ahp any any
 permit esp any any
 permit udp any any eq domain
 permit udp any any eq ntp
 permit udp any eq domain any
 permit icmp any any echo
 permit icmp any any echo-reply
 permit tcp any any eq smtp
 permit tcp any any eq 587
 permit tcp any any eq 443
 permit gre any any
 permit udp any eq bootps any eq bootpc
 deny   ip any any
ip access-list extended VPN-TRAFFIC
 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
!
!
!
!
!
control-plane
!
!
alias exec s sho ip int bri
alias exec c conf t
banner motd ^C
*********************************************
DO NOT ENTER!! UNAUTHORIZED ACCESS PROHIBITED!
********************************************^C
!
line con 0
 exec-timeout 30 0
 logging synchronous
 history size 15
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 exec-timeout 45 0
 logging synchronous
 terminal-type monit
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
end