Enable Conf t hostname SYD-GW service password-encryption ! no ip cef no ipv6 cef no cdp run ! ip domain-name local.net ip name-server 192.168.4.253 ! crypto key generate rsa 1024 ! line vty 0 15 login local transport input ssh exit ! line con 0 logging sync password Password01 exit ! ip ssh time-out 90 ip ssh authentication-retries 2 ip ssh version 2 username administrator privilege 15 secret Password01 ! ip route 209.85.128.248 255.255.255.252 s0/0/1 ip route 0.0.0.0 0.0.0.0 s0/0/1 ! crypto isakmp policy 5 encryption aes 256 lifetime 86400 authentication pre-share group 5 ! crypto isakmp key cisco@123 address 209.85.128.250 ! crypto ipsec transform-set IPSEC-SITE-TO-SITE-VPN esp-aes 256 esp-sha-hmac ! crypto map IPSEC-SITE-TO-SITE-VPN 10 ipsec-isakmp set peer 209.85.128.250 set transform-set IPSEC-SITE-TO-SITE-VPN match address VPN-TRAFFIC ! interface Tunnel0 tunnel mode gre ip ip address 10.0.0.2 255.255.255.252 tunnel source Serial0/0/1 tunnel destination 209.85.128.250 ! interface FastEthernet0/0.1 description Regular Staff Vlan Gateway encapsulation dot1Q 10 ip address 172.16.0.30 255.255.255.224 ip helper-address 209.85.128.250 ! interface FastEthernet0/0.2 description Guest Worker Vlan Gateway encapsulation dot1Q 20 ip address 172.16.0.62 255.255.255.224 ip helper-address 209.85.128.250 ! interface FastEthernet0/0.3 description Printers and Servers Vlan Gateway encapsulation dot1Q 30 ip address 172.16.0.78 255.255.255.240 ip helper-address 209.85.128.250 ! interface FastEthernet0/0.4 description Restricted Personnel Vlan Gateway encapsulation dot1Q 40 ip address 172.16.0.94 255.255.255.240 ip helper-address 209.85.128.250 ! interface FastEthernet0/0.5 description IT Admin Staff Vlan Gateway encapsulation dot1Q 50 ip address 172.16.0.102 255.255.255.248 ip helper-address 209.85.128.250 ! interface FastEthernet0/0.6 description Network Management Vlan Gateway encapsulation dot1Q 60 ip address 172.16.0.106 255.255.255.252 ip helper-address 209.85.128.250 ! interface FastEthernet0/0.9 description Native Vlan Gateway encapsulation dot1Q 99 ip address 172.16.0.110 255.255.255.252 ip helper-address 209.85.128.250 ! interface FastEthernet0/0 no shut ! interface Serial0/0/1 ip address 209.85.128.254 255.255.255.252 crypto map IPSEC-SITE-TO-SITE-VPN no shutdown ! router eigrp 1 eigrp router-id 1.1.1.3 network 209.85.128.252 0.0.0.3 network 10.0.0.0 0.0.0.3 network 172.16.0.0 0.0.0.31 network 172.16.0.32 0.0.0.31 network 172.16.0.64 0.0.0.15 network 172.16.0.80 0.0.0.15 network 172.16.0.96 0.0.0.7 network 172.16.0.104 0.0.0.3 network 172.16.0.108 0.0.0.3 no auto-summary exit ! ip flow-export version 9 ! ip access-list extended VPN-TRAFFIC permit gre host 209.85.128.254 host 209.85.128.250 permit ip 172.16.0.0 0.0.0.31 192.168.0.0 0.0.3.255 permit ip 172.16.0.0 0.0.0.31 192.168.4.0 0.0.0.127 permit ip 172.16.0.0 0.0.0.31 192.168.4.128 0.0.0.127 permit ip 172.16.0.0 0.0.0.31 192.168.5.0 0.0.0.127 permit ip 172.16.0.0 0.0.0.31 192.168.5.128 0.0.0.127 permit ip 172.16.0.0 0.0.0.31 192.168.5.160 0.0.0.7 permit ip 172.16.0.0 0.0.0.31 192.168.5.168 0.0.0.3 permit ip 172.16.0.32 0.0.0.31 192.168.0.0 0.0.3.255 permit ip 172.16.0.32 0.0.0.31 192.168.4.0 0.0.0.127 permit ip 172.16.0.32 0.0.0.31 192.168.4.128 0.0.0.127 permit ip 172.16.0.32 0.0.0.31 192.168.5.0 0.0.0.127 permit ip 172.16.0.32 0.0.0.31 192.168.5.128 0.0.0.127 permit ip 172.16.0.32 0.0.0.31 192.168.5.160 0.0.0.7 permit ip 172.16.0.32 0.0.0.31 192.168.5.168 0.0.0.3 permit ip 172.16.0.64 0.0.0.15 192.168.0.0 0.0.3.255 permit ip 172.16.0.64 0.0.0.15 192.168.4.0 0.0.0.127 permit ip 172.16.0.64 0.0.0.15 192.168.4.128 0.0.0.127 permit ip 172.16.0.64 0.0.0.15 192.168.5.0 0.0.0.127 permit ip 172.16.0.64 0.0.0.15 192.168.5.128 0.0.0.127 permit ip 172.16.0.64 0.0.0.15 192.168.5.160 0.0.0.7 permit ip 172.16.0.64 0.0.0.15 192.168.5.168 0.0.0.3 permit ip 172.16.0.80 0.0.0.15 192.168.0.0 0.0.3.255 permit ip 172.16.0.80 0.0.0.15 192.168.4.0 0.0.0.127 permit ip 172.16.0.80 0.0.0.15 192.168.4.128 0.0.0.127 permit ip 172.16.0.80 0.0.0.15 192.168.5.0 0.0.0.127 permit ip 172.16.0.80 0.0.0.15 192.168.5.128 0.0.0.127 permit ip 172.16.0.80 0.0.0.15 192.168.5.160 0.0.0.7 permit ip 172.16.0.80 0.0.0.15 192.168.5.168 0.0.0.3 permit ip 172.16.0.96 0.0.0.7 192.168.0.0 0.0.3.255 permit ip 172.16.0.96 0.0.0.7 192.168.4.0 0.0.0.127 permit ip 172.16.0.96 0.0.0.7 192.168.4.128 0.0.0.127 permit ip 172.16.0.96 0.0.0.7 192.168.5.0 0.0.0.127 permit ip 172.16.0.96 0.0.0.7 192.168.5.128 0.0.0.127 permit ip 172.16.0.96 0.0.0.7 192.168.5.160 0.0.0.7 permit ip 172.16.0.96 0.0.0.7 192.168.5.168 0.0.0.3 permit ip 172.16.0.104 0.0.0.3 192.168.0.0 0.0.3.255 permit ip 172.16.0.104 0.0.0.3 192.168.4.0 0.0.0.127 permit ip 172.16.0.104 0.0.0.3 192.168.4.128 0.0.0.127 permit ip 172.16.0.104 0.0.0.3 192.168.5.0 0.0.0.127 permit ip 172.16.0.104 0.0.0.3 192.168.5.128 0.0.0.127 permit ip 172.16.0.104 0.0.0.3 192.168.5.160 0.0.0.7 permit ip 172.16.0.104 0.0.0.3 192.168.5.168 0.0.0.3 permit ip 172.16.0.108 0.0.0.3 192.168.0.0 0.0.3.255 permit ip 172.16.0.108 0.0.0.3 192.168.4.0 0.0.0.127 permit ip 172.16.0.108 0.0.0.3 192.168.4.128 0.0.0.127 permit ip 172.16.0.108 0.0.0.3 192.168.5.0 0.0.0.127 permit ip 172.16.0.108 0.0.0.3 192.168.5.128 0.0.0.127 permit ip 172.16.0.108 0.0.0.3 192.168.5.160 0.0.0.7 permit ip 172.16.0.108 0.0.0.3 192.168.5.168 0.0.0.3 exit !NAT! ip nat pool SYDNAT-VLAN-10 172.16.0.1 172.16.0.30 netmask 255.255.255.224 ip nat pool SYDNAT-VLAN-20 172.16.0.33 172.16.0.62 netmask 255.255.255.224 ip nat pool SYDNAT-VLAN-30 172.16.0.65 172.16.0.78 netmask 255.255.255.240 ip nat pool SYDNAT-VLAN-40 172.16.0.81 172.16.0.94 netmask 255.255.255.240 ip nat pool SYDNAT-VLAN-50 172.16.0.97 172.16.0.102 netmask 255.255.255.248 ip nat pool SYDNAT-VLAN-60 172.16.0.105 172.16.0.106 netmask 255.255.255.252 ip nat pool SYDNAT-VLAN-99 172.16.0.109 172.16.0.110 netmask 255.255.255.252 ! ip access-list extended VLAN10 deny gre host 209.85.128.254 host 209.85.128.250 deny ip 172.16.0.0 0.0.0.31 192.168.0.0 0.0.3.255 deny ip 172.16.0.32 0.0.0.31 192.168.0.0 0.0.3.255 deny ip 172.16.0.64 0.0.0.15 192.168.0.0 0.0.3.255 deny ip 172.16.0.80 0.0.0.15 192.168.0.0 0.0.3.255 deny ip 172.16.0.96 0.0.0.7 192.168.0.0 0.0.3.255 deny ip 172.16.0.104 0.0.0.3 192.168.0.0 0.0.3.255 deny ip 172.16.0.108 0.0.0.3 192.168.0.0 0.0.3.255 permit ip 172.16.0.0 0.0.0.31 any ! ip access-list extended VLAN20 deny gre host 209.85.128.254 host 209.85.128.250 deny ip 172.16.0.0 0.0.0.31 192.168.4.0 0.0.0.127 deny ip 172.16.0.32 0.0.0.31 192.168.4.0 0.0.0.127 deny ip 172.16.0.64 0.0.0.15 192.168.4.0 0.0.0.127 deny ip 172.16.0.80 0.0.0.15 192.168.4.0 0.0.0.127 deny ip 172.16.0.96 0.0.0.7 192.168.4.0 0.0.0.127 deny ip 172.16.0.104 0.0.0.3 192.168.4.0 0.0.0.127 deny ip 172.16.0.108 0.0.0.3 192.168.4.0 0.0.0.127 permit ip 172.16.0.32 0.0.0.31 any ! ip access-list extended VLAN30 deny gre host 209.85.128.254 host 209.85.128.250 deny ip 172.16.0.0 0.0.0.31 192.168.4.128 0.0.0.127 deny ip 172.16.0.32 0.0.0.31 192.168.4.128 0.0.0.127 deny ip 172.16.0.64 0.0.0.15 192.168.4.128 0.0.0.127 deny ip 172.16.0.80 0.0.0.15 192.168.4.128 0.0.0.127 deny ip 172.16.0.96 0.0.0.7 192.168.4.128 0.0.0.127 deny ip 172.16.0.104 0.0.0.3 192.168.4.128 0.0.0.127 deny ip 172.16.0.108 0.0.0.3 192.168.4.128 0.0.0.127 permit ip 172.16.0.64 0.0.0.15 any ! ip access-list extended VLAN40 deny gre host 209.85.128.254 host 209.85.128.250 deny ip 172.16.0.0 0.0.0.31 192.168.5.0 0.0.0.127 deny ip 172.16.0.32 0.0.0.31 192.168.5.0 0.0.0.127 deny ip 172.16.0.64 0.0.0.15 192.168.5.0 0.0.0.127 deny ip 172.16.0.80 0.0.0.15 192.168.5.0 0.0.0.127 deny ip 172.16.0.96 0.0.0.7 192.168.5.0 0.0.0.127 deny ip 172.16.0.104 0.0.0.3 192.168.5.0 0.0.0.127 deny ip 172.16.0.108 0.0.0.3 192.168.5.0 0.0.0.127 permit ip 172.16.0.80 0.0.0.15 any ! ip access-list extended VLAN50 deny gre host 209.85.128.254 host 209.85.128.250 deny ip 172.16.0.0 0.0.0.31 192.168.5.128 0.0.0.127 deny ip 172.16.0.32 0.0.0.31 192.168.5.128 0.0.0.127 deny ip 172.16.0.64 0.0.0.15 192.168.5.128 0.0.0.127 deny ip 172.16.0.80 0.0.0.15 192.168.5.128 0.0.0.127 deny ip 172.16.0.96 0.0.0.7 192.168.5.128 0.0.0.127 deny ip 172.16.0.104 0.0.0.3 192.168.5.128 0.0.0.127 deny ip 172.16.0.108 0.0.0.3 192.168.5.128 0.0.0.127 permit ip 172.16.0.96 0.0.0.7 any ! ip access-list extended VLAN60 deny gre host 209.85.128.254 host 209.85.128.250 deny ip 172.16.0.0 0.0.0.31 192.168.5.160 0.0.0.7 deny ip 172.16.0.32 0.0.0.31 192.168.5.160 0.0.0.7 deny ip 172.16.0.64 0.0.0.15 192.168.5.160 0.0.0.7 deny ip 172.16.0.80 0.0.0.15 192.168.5.160 0.0.0.7 deny ip 172.16.0.96 0.0.0.7 192.168.5.160 0.0.0.7 deny ip 172.16.0.104 0.0.0.3 192.168.5.160 0.0.0.7 deny ip 172.16.0.108 0.0.0.3 192.168.5.160 0.0.0.7 permit ip 172.16.0.104 0.0.0.3 any ! ip access-list extended VLAN99 deny gre host 209.85.128.254 host 209.85.128.250 deny ip 172.16.0.0 0.0.0.31 192.168.5.168 0.0.0.3 deny ip 172.16.0.32 0.0.0.31 192.168.5.168 0.0.0.3 deny ip 172.16.0.64 0.0.0.15 192.168.5.168 0.0.0.3 deny ip 172.16.0.80 0.0.0.15 192.168.5.168 0.0.0.3 deny ip 172.16.0.96 0.0.0.7 192.168.5.168 0.0.0.3 deny ip 172.16.0.104 0.0.0.3 192.168.5.168 0.0.0.3 deny ip 172.16.0.108 0.0.0.3 192.168.5.168 0.0.0.3 permit ip 172.16.0.108 0.0.0.3 any ! ip nat inside source list VLAN10 pool SYDNAT-VLAN-10 overload ip nat inside source list VLAN20 pool SYDNAT-VLAN-20 overload ip nat inside source list VLAN30 pool SYDNAT-VLAN-30 overload ip nat inside source list VLAN40 pool SYDNAT-VLAN-40 overload ip nat inside source list VLAN50 pool SYDNAT-VLAN-50 overload ip nat inside source list VLAN60 pool SYDNAT-VLAN-60 overload ip nat inside source list VLAN99 pool SYDNAT-VLAN-99 overload ! int f0/0.1 ip nat inside int f0/0.2 ip nat inside int f0/0.3 ip nat inside int f0/0.4 ip nat inside int f0/0.5 ip nat inside int f0/0.6 ip nat inside int f0/0.9 ip nat inside int s0/0/1 ip nat outside