Translation Key: B - public ISR address Y - public ASA address V - VPN DHCP addresses hostname TEST ! boot-start-marker boot-end-marker ! ! vrf definition Mgmt-intf ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! no logging console no logging monitor enable secret McYWj7xWyGWQecUZYgiBDsq%LegqVKwRYaZuyuvMgPAcyMXqJaiJxFYLCFawcdmz ! no aaa new-model ! ip name-server X.X.X.X X.X.X.X no ip domain lookup ip domain name [domain.com] no ip dhcp use vrf connected ip dhcp excluded-address 10.245.167.1 10.245.167.10 ip dhcp excluded-address 10.245.167.250 10.245.167.254 ! ip dhcp pool TEST network 10.245.167.0 255.255.255.0 default-router 10.245.167.254 domain-name [domain.com] dns-server 8.8.8.8 8.8.4.4 ! ! ! ! ! ! ! ! ! ! subscriber templating ! ! ! ! ! ! ! multilink bundle-name authenticated ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! voice-card 0/4 no watchdog ! license udi pid ISR4331/K9 sn [SERIALNUMBER] diagnostic bootup level minimal spanning-tree extend system-id ! ! ! username [username] password 7 [password] ! redundancy mode none ! crypto ikev2 proposal PROPOSAL encryption aes-gcm-256 aes-gcm-128 prf sha512 sha384 sha256 group 20 19 14 ! crypto ikev2 policy POLICY proposal PROPOSAL ! crypto ikev2 keyring KEY peer VPN address Y.Y.Y.151 255.255.255.128 identity address B.B.B.148 pre-shared-key [presharedkey] ! ! ! crypto ikev2 profile PROFILE match address local B.B.B.148 match identity remote address Y.Y.Y.151 255.255.255.128 authentication remote pre-share authentication local pre-share keyring local KEY lifetime 28800 no config-exchange request ! ! ! ! ! policy-map child class class-default fair-queue set dscp default policy-map tunnel class class-default shape average 768000 service-policy child ! ! ! ! crypto ipsec transform-set SEC_TS esp-gcm 256 mode tunnel ! crypto ipsec profile IPSEC_PROFILE set transform-set SEC_TS set ikev2-profile PROFILE ! ! ! ! ! ! ! ! ! ! ! interface Tunnel0 ip unnumbered GigabitEthernet0/0/1 ip access-group OUT_TRAFFIC out tunnel source GigabitEthernet0/0/0 tunnel mode ipsec ipv4 tunnel destination Y.Y.Y.151 tunnel protection ipsec profile IPSEC_PROFILE ! interface GigabitEthernet0/0/0 ip address B.B.B.148 255.255.255.248 ip nat outside ip access-group 199 in negotiation auto ip virtual-reassembly ! interface GigabitEthernet0/0/1 ip address 10.245.167.254 255.255.255.0 no ip proxy-arp ip nat inside negotiation auto ip virtual-reassembly ! interface GigabitEthernet0 vrf forwarding Mgmt-intf no ip address shutdown negotiation auto ! ip nat pool branch B.B.B.148 B.B.B.148 netmask 255.255.255.248 ip nat inside source list 120 interface GigabitEthernet0/0/0 overload ip forward-protocol nd ip http server ip http authentication local no ip http secure-server ip tftp source-interface GigabitEthernet0/0/1 ip route 0.0.0.0 0.0.0.0 B.B.B.145 ! ip ssh time-out 90 ip ssh rsa keypair-name TEST.[domain.com] ip ssh version 2 ! ! ip access-list extended NONAT-TUNNEL deny ip 10.245.167.0 0.0.0.255 172.24.16.0 0.0.3.255 deny ip 10.245.167.0 0.0.0.255 172.24.32.0 0.0.3.255 permit ip 10.245.167.0 0.0.0.255 any ip access-list extended OUT_TRAFFIC permit ip 10.245.167.0 0.0.0.255 172.24.16.0 0.0.3.255 permit ip 10.245.167.0 0.0.0.255 172.24.32.0 0.0.3.255 permit ip 10.245.167.0 0.0.0.255 172.16.96.0 0.0.3.255 permit ip 10.245.167.0 0.0.0.255 V.V.V.0 0.0.0.255 logging trap debugging logging facility syslog logging source-interface GigabitEthernet0/0/1 access-list 120 deny ip 10.245.167.0 0.0.0.255 10.245.167.0 0.0.0.255 access-list 120 deny ip 10.245.167.0 0.0.0.255 172.24.16.0 0.0.3.255 access-list 120 deny ip 10.245.167.0 0.0.0.255 172.24.32.0 0.0.3.255 access-list 120 deny ip 10.245.167.0 0.0.0.255 172.16.96.0 0.0.3.255 access-list 120 deny ip 10.245.167.0 0.0.0.255 V.V.V.0 0.0.0.255 access-list 120 permit ip 10.245.167.0 0.0.0.255 any access-list 199 deny tcp any any eq 22 access-list 199 deny udp any any eq tftp access-list 199 deny udp any any eq 1025 access-list 199 deny tcp any any eq 1720 access-list 199 deny tcp any any eq 2005 access-list 199 deny udp any any eq 2005 access-list 199 deny udp any any eq 2427 access-list 199 deny udp any any eq 2517 access-list 199 deny tcp any any eq 4005 access-list 199 deny udp any any eq 4005 access-list 199 deny tcp any any eq 5060 access-list 199 deny udp any any eq 5060 access-list 199 deny tcp any any eq 5061 access-list 199 deny udp any any eq 5061 access-list 199 deny tcp any any eq 6005 access-list 199 deny udp any any eq 6005 access-list 199 deny tcp any any eq 11720 access-list 199 deny udp any any range 16384 32767 access-list 199 permit ip any any ! ! ! ! control-plane ! ! mgcp behavior rsip-range tgcp-only mgcp behavior comedia-role none mgcp behavior comedia-check-media-src disable mgcp behavior comedia-sdp-force disable ! mgcp profile default ! ! ! ! ! gateway timer receive-rtp 1200 ! ! line con 0 login local transport input none stopbits 1 line aux 0 exec-timeout 0 1 login local no exec stopbits 1 line vty 0 4 login local transport input ssh ! network-clock synchronization automatic no network-clock synchronization participate 0 ntp server N.N.N.3 wsma agent exec ! wsma agent config ! wsma agent filesys ! wsma agent notify ! ! end