Translation Key: B - public ISR address Y - public ASA address V - VPN DHCP addresses crypto ikev2 proposal PROPOSAL encryption aes-gcm-256 aes-gcm-128 prf sha512 sha384 sha256 group 20 19 14 ! crypto ikev2 policy POLICY proposal PROPOSAL ! crypto ikev2 keyring KEY peer VPN address Y.Y.Y.151 255.255.255.128 identity address B.B.B.148 pre-shared-key [presharedkey] ! ! ! crypto ikev2 profile PROFILE match address local B.B.B.148 match identity remote address Y.Y.Y.151 255.255.255.255 authentication remote pre-share authentication local pre-share keyring local KEY lifetime 28800 ! ! ! ! crypto ipsec transform-set SEC_TS esp-gcm 256 mode tunnel ! interface GigabitEthernet0/0/0 ip address B.B.B.148 255.255.255.248 ip nat outside ip access-group 199 in negotiation auto crypto map MAP ip virtual-reassembly ! interface GigabitEthernet0/0/1 ip address 10.245.167.254 255.255.255.0 no ip proxy-arp ip nat inside negotiation auto ip virtual-reassembly ! crypto ikev2 proposal PROPOSAL encryption aes-gcm-256 aes-gcm-128 prf sha512 sha384 sha256 group 20 19 14 ! crypto ikev2 policy POLICY proposal PROPOSAL ! crypto ikev2 keyring KEY peer VPN address Y.Y.Y.151 255.255.255.128 identity address B.B.B.148 pre-shared-key [presharedkey] ! ! crypto map MAP 205 ipsec-isakmp set peer Y.Y.Y.151 set security-association lifetime seconds 28800 set transform-set SEC_TS set ikev2-profile PROFILE match address OUT_TRAFFIC ! ! ! ip nat pool branch B.B.B.148 B.B.B.148 netmask 255.255.255.248 ip nat inside source list 120 interface GigabitEthernet0/0/0 overload ip forward-protocol nd ip http server ip http authentication local no ip http secure-server ip tftp source-interface GigabitEthernet0/0/1 ip route 0.0.0.0 0.0.0.0 B.B.B.145 ! ip ssh time-out 90 ip ssh rsa keypair-name TEST.[domain.com] ip ssh version 2 ! ! ip access-list extended OUT_TRAFFIC permit ip 10.245.167.0 0.0.0.255 172.24.16.0 0.0.3.255 permit ip 10.245.167.0 0.0.0.255 172.24.32.0 0.0.3.255 permit ip 10.245.167.0 0.0.0.255 172.16.96.0 0.0.3.255 permit ip 10.245.167.0 0.0.0.255 V.V.V.0 0.0.0.255 access-list 120 deny ip 10.245.167.0 0.0.0.255 172.16.96.0 0.0.3.255 access-list 120 deny ip 10.245.167.0 0.0.0.255 172.24.16.0 0.0.3.255 access-list 120 deny ip 10.245.167.0 0.0.0.255 172.24.32.0 0.0.3.255 access-list 120 deny ip 10.245.167.0 0.0.0.255 V.V.V.0 0.0.0.255 access-list 120 permit ip 10.245.167.0 0.0.0.255 any access-list 199 permit ip any any 500 access-list 199 permit ip any any 4500 access-list 199 deny tcp any any eq 22 access-list 199 deny udp any any eq tftp access-list 199 deny udp any any eq 1025 access-list 199 deny tcp any any eq 1720 access-list 199 deny tcp any any eq 2005 access-list 199 deny udp any any eq 2005 access-list 199 deny udp any any eq 2427 access-list 199 deny udp any any eq 2517 access-list 199 deny tcp any any eq 4005 access-list 199 deny udp any any eq 4005 access-list 199 deny tcp any any eq 5060 access-list 199 deny udp any any eq 5060 access-list 199 deny tcp any any eq 5061 access-list 199 deny udp any any eq 5061 access-list 199 deny tcp any any eq 6005 access-list 199 deny udp any any eq 6005 access-list 199 deny tcp any any eq 11720 access-list 199 deny udp any any range 16384 32767 access-list 199 permit ip any any