!
crypto isakmp policy 50
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800
!
crypto isakmp policy 200
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800
!
crypto isakmp key r9HW51OUUIne1BkNf2zVkBC4XjR1dwImkoR address 5.5.5.5 no-xauth
!
crypto ipsec transform-set PAN-IT esp-3des esp-sha-hmac 
 mode tunnel
!
crypto map PANVPN 200 ipsec-isakmp 
 description VPN to PAN-IT-VPN
 set peer 5.5.5.5
 set transform-set PAN-IT 
 match address PAN-IT-VPN
 qos pre-classify
!

ip route 5.5.5.5 255.255.255.255 1.1.1.30 name PAN-IT-VPN-VPN-PEER
ip route 10.254.168.0 255.255.255.0 1.1.1.30 name PAN-IT-SOLUTIONS_HOSTED-NETWORK

ip access-list extended PAN-IT-VPN
permit ip 204.125.74.0 0.0.0.255 10.254.168.0 0.0.0.255
permit ip 172.30.3.0 0.0.0.255 10.254.168.0 0.0.0.255
permit ip 206.92.10.32 0.0.0.31 10.254.168.0 0.0.0.255
!
ip prefix-list REDISTRIBUTE-PAN-IT-VPN seq 10 permit 10.254.168.0/24
!
router eigrp 40443
redistribute static route-map PAN-IT-VPN
!
route-map PAN-IT-VPN permit 10
 match ip address prefix-list REDISTRIBUTE-PAN-IT-VPN
!
ip access-list extended INTERNET_IN
 permit udp host 5.5.5.5 host 1.1.1.1 eq isakmp
 permit udp host 5.5.5.5 host 1.1.1.1 eq non500-isakmp
!
interface GigabitEthernet0/0/1
crypto map PANVPN
ip address 1.1.1.1 255.255.255.0
ip access-list extended INTERNET_IN
!
route-map PAN-IT-VPN permit 10 
 match ip address prefix-list REDISTRIBUTE-PAN-IT-VPN
route-map NAT-TO-INTERNET deny 5 
 match ip address PAN-IT-VPN
route-map NAT-TO-INTERNET permit 10 
 match ip address NAT-TO-INTERNET
 match interface GigabitEthernet0/0/1
!
ip nat inside source route-map NAT-TO-INTERNET interface GigabitEthernet0/0/1 overload
!
!
! ############   Need below config if router is Zone-based-firewall ##################
!
class-map type inspect match-any OUTSIDE-TO-INSIDE
match access-group name OUTSIDE-TO-INSIDE
!
policy-map type inspect OUTSIDE-TO-INSIDE
class type inspect OUTSIDE-TO-INSIDE
inspect
class class-default
drop
!
zone-pair security OUTSIDE-TO-INSIDE source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE-TO-INSIDE
!
ip access-list extended OUTSIDE-TO-INSIDE
permit ip 10.254.168.0 0.0.0.255 204.125.74.0 0.0.0.255
permit ip 10.254.168.0 0.0.0.255 172.30.3.0 0.0.0.255
permit ip 10.254.168.0 0.0.0.255 206.92.10.32 0.0.0.31