! aaa new-model aaa local authentication attempts max-fail 5 ! aaa authentication login VPN-AUTH local aaa authorization network VPN-GROUP local ! aaa session-id common ! crypto isakmp policy 1 encr aes authentication pre-share group 2 lifetime 28800 ! crypto isakmp client configuration group VPN-USERS key Apassword dns 8.8.8.8 8.8.4.4 pool VPN-POOL max-users 5 netmask 255.255.255.224 ! crypto isakmp client configuration group VPN-MANAGMENT key Apassword2 dns 8.8.8.8 8.8.4.4 pool VPN-POOL-2 max-users 5 netmask 255.255.255.224 crypto isakmp profile VPN-IKE-PROFILE-1 match identity group VPN-MANAGMENT match identity group VPN-USERS client authentication list VPN-AUTH isakmp authorization list VPN-GROUP client configuration address initiate client configuration address respond virtual-template 1 ! crypto ipsec security-association lifetime seconds 1000 ! crypto ipsec transform-set CRYPRO-TYPE esp-aes 256 esp-sha-hmac mode tunnel ! crypto ipsec profile VPN-PROFILE-1 set transform-set CRYPRO-TYPE set isakmp-profile VPN-IKE-PROFILE-1 ! ! ! crypto dynamic-map DYNMAP 10 set transform-set CRYPRO-TYPE reverse-route ! ! crypto map VPN-INTERNET 10 ipsec-isakmp dynamic DYNMAP ! ! ! interface Loopback0 ip address 1.1.1.1 255.255.255.255 ! interface GigabitEthernet0/0/0 no ip address negotiation auto ! interface GigabitEthernet0/0/0.10 encapsulation dot1Q 10 ip address 192.168.1.1 255.255.255.0 ip nat inside ip virtual-reassembly ! interface GigabitEthernet0/0/0.20 encapsulation dot1Q 20 ip address 192.168.2.1 255.255.255.0 ip nat inside ip virtual-reassembly ! interface GigabitEthernet0/0/0.25 encapsulation dot1Q 25 ip address 192.168.3.1 255.255.255.0 ip nat inside ip virtual-reassembly ! interface GigabitEthernet0/0/0.40 encapsulation dot1Q 40 ip address 192.168.4.1 255.255.255.0 ip nat inside ip virtual-reassembly ! interface GigabitEthernet0/0/0.200 encapsulation dot1Q 200 ip address 192.168.10.1 255.255.255.0 ip nat inside ip virtual-reassembly ! interface GigabitEthernet0/0/0.250 encapsulation dot1Q 250 ip address 192.168.20.1 255.255.255.0 ip nat inside ip virtual-reassembly ! interface GigabitEthernet0/0/1 ip address dhcp ip nat outside negotiation auto crypto map VPN-INTERNET ip virtual-reassembly ! ! interface Virtual-Template1 type tunnel ip unnumbered GigabitEthernet0/0/1 no ip unreachables ip nat inside tunnel mode ipsec ipv4 tunnel path-mtu-discovery tunnel protection ipsec profile VPN-PROFILE-1 ip virtual-reassembly ! ip local pool VPN-POOL 192.168.10.2 192.168.10.6 ip local pool VPN-POOL-2 192.168.20.2 192.168.20.6 ip nat translation udp-timeout 300 ip nat translation finrst-timeout 45 ip nat translation syn-timeout 45 ip nat translation dns-timeout 45 ip nat translation icmp-timeout 45 ip nat translation max-entries 2000000 ip nat pool nat-pool 192.168.0.2 192.168.0.199 netmask 255.255.225.0 ip nat inside source list 110 pool nat-pool overload ip forward-protocol nd ! no ip http server ip http authentication local ip http secure-server ip route 0.0.0.0 0.0.0.0 192.168.0.1 254 access-list 110 permit ip any any access-list 110 permit ip 192.168.1.0 0.0.0.255 any log access-list 110 permit ip 192.168.2.0 0.0.0.255 any log access-list 110 permit ip 192.168.3.0 0.0.0.255 any log access-list 110 permit ip 192.168.4.0 0.0.0.255 any log access-list 110 permit ip 192.168.5.0 0.0.0.255 any log access-list 110 deny ip any any log !