Current configuration : 10976 bytes ! ! Last configuration change at 13:36:46 GMT Sat Aug 17 2024 ! version 17.6 service timestamps debug datetime msec service timestamps log datetime msec service call-home platform qfp utilization monitor load 80 platform punt-keepalive disable-kernel-core platform hardware throughput crypto 50000 ! hostname VTARouter ! boot-start-marker boot-end-marker ! ! no logging console enable secret 9 $9$POow... ! no aaa new-model clock timezone GMT -8 0 ! ! ! ip name-server 8.8.8.8 8.8.4.4 ip domain name brtool.vta ip dhcp excluded-address 192.168.0.0 ip dhcp excluded-address 192.168.0.1 192.168.0.59 ip dhcp excluded-address 192.168.0.100 192.168.0.255 ! ip dhcp pool WEBUIPool network 192.168.0.0 255.255.255.0 default-router 192.168.0.1 dns-server 8.8.8.8 8.8.4.4 lease infinite ! ! ! login on-success log ! ! ! subscriber templating ! ! ! multilink bundle-name authenticated ! ! ! crypto pki trustpoint SLA-TrustPoint enrollment pkcs12 revocation-check crl ! crypto pki trustpoint TP-self-signed-546068985 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-546068985 revocation-check none rsakeypair TP-self-signed-546068985 ! ! crypto pki certificate chain SLA-TrustPoint certificate ca 01 30820321 30820209 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030 32310E.... quit crypto pki certificate chain TP-self-signed-546068985 certificate self-signed 01 3082032E 30820216 A0030201 02020101 300D0609 2A864886 F70D0101 05050030 30312..... quit ! ! no license feature hseck9 license udi pid C1111-4P sn FCZ2631R0S0 license boot level securityk9 archive path bootflash:mybackup memory free low-watermark processor 70210 ! ! ! ! object-group network IPSEC-PEERS host 20.20.20.2 ! object-group service vpn-port_svc udp source eq isakmp eq isakmp udp source eq isakmp eq non500-isakmp udp source eq non500-isakmp eq isakmp udp source eq non500-isakmp eq non500-isakmp ! diagnostic bootup level minimal ! spanning-tree extend system-id ! username cisco privilege 15 secret 9 $9$BYHaL... ! redundancy mode none ! ! ! vlan internal allocation policy ascending ! ! class-map type inspect match-any vta-in match access-group name VTA-INTERNET-IN class-map type inspect match-all vpn-port description vpnudpport match access-group name vpn-port_acl class-map type inspect match-any Web_app match protocol tcp match protocol udp match protocol ftp match protocol icmp match protocol http match protocol https match protocol pop3s match protocol smtp class-map type inspect match-all brvpn description vpn subnets match access-group name brvpn class-map type inspect match-all Web match class-map Web_app match access-group name Web_acl ! policy-map type inspect OUTSIDE-SELF-POLICY class type inspect vpn-port pass class class-default drop log policy-map type inspect INSIDE-OUTSIDE-POLICY class type inspect Web inspect class type inspect vpn-port pass class type inspect brvpn pass class type inspect vta-in pass class class-default drop log policy-map type inspect OUTSIDE-INSIDE-POLICY class type inspect vpn-port pass class type inspect brvpn pass class class-default drop log ! zone security INSIDE description Zone for inside interfaces zone security OUTSIDE description Zone for outside interfaces zone security default zone-pair security INSIDE-OUTSIDE source INSIDE destination OUTSIDE service-policy type inspect INSIDE-OUTSIDE-POLICY zone-pair security OUTSIDE-INSIDE source OUTSIDE destination INSIDE service-policy type inspect OUTSIDE-INSIDE-POLICY zone-pair security OUTSIDE-SELF source OUTSIDE destination self service-policy type inspect OUTSIDE-SELF-POLICY ! ! ! crypto isakmp policy 10 encryption aes hash sha256 authentication pre-share group 14 crypto isakmp key MYKEY address 20.20.20.2 ! ! crypto ipsec transform-set myset esp-aes esp-sha256-hmac mode tunnel ! ! ! crypto map mymap 10 ipsec-isakmp set peer 20.20.20.2 set transform-set myset match address brvpn ! ! ! interface GigabitEthernet0/0/0 no ip address zone-member security OUTSIDE shutdown negotiation auto ! interface GigabitEthernet0/0/1 description Spectrum Internet Connection ip address 10.10.10.2 255.255.255.248 ip nat outside zone-member security OUTSIDE negotiation auto crypto map mymap ! interface GigabitEthernet0/1/0 zone-member security INSIDE ! interface GigabitEthernet0/1/1 zone-member security INSIDE ! interface GigabitEthernet0/1/2 zone-member security INSIDE ! interface GigabitEthernet0/1/3 zone-member security INSIDE ! interface Vlan1 ip address 192.168.0.1 255.255.255.0 ip nat inside zone-member security INSIDE ! ip http server ip http authentication local ip http secure-server ip http client source-interface GigabitEthernet0/0/1 ip forward-protocol nd ip nat inside source list 1 interface GigabitEthernet0/0/1 overload ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1 10.10.10.1 ip route 0.0.0.0 0.0.0.0 10.10.10.1 ! ! ip access-list extended VTA-INTERNET-IN 10 permit esp object-group IPSEC-PEERS host 10.10.10.2 20 permit udp object-group IPSEC-PEERS host 10.10.10.2 eq isakmp 30 permit icmp object-group IPSEC-PEERS host 10.10.10.2 echo 40 permit udp object-group IPSEC-PEERS host 10.10.10.2 eq isakmp non500-isakmp ip access-list extended Web_acl 10 permit ip any any ip access-list extended brvpn 10 permit ip 192.168.0.0 0.0.0.255 192.168.3.0 0.0.0.255 ip access-list extended vpn-port_acl 10 permit object-group vpn-port_svc any any ! ip access-list standard 1 10 permit 192.168.0.0 0.0.0.255 ! ! control-plane ! ! line con 0 session-timeout 60 exec-timeout 60 0 transport input none stopbits 1 line vty 0 login length 0 transport input ssh line vty 1 4 login transport input ssh line vty 5 14 login transport input ssh ! call-home ! If contact email address in call-home is configured as sch-smart-licensing@cisco.com ! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications. contact-email-addr sch-smart-licensing@cisco.com profile "CiscoTAC-1" active destination transport-method http ! ! end