! aaa new-model ! aaa authentication login default local aaa authorization exec default local aaa authorization network default local ! aaa session-id common ! clock timezone CET 1 0 clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00 crypto pki token default removal timeout 0 ! no ip source-route ! no ip dhcp use vrf connected ip dhcp bootp ignore ip dhcp excluded-address 10.10.10.200 10.10.10.254 ip dhcp excluded-address 10.10.20.200 10.10.20.254 ip dhcp excluded-address 10.10.30.200 10.10.30.254 ip dhcp excluded-address 10.10.40.200 10.10.40.254 ! ip dhcp pool main network 10.10.10.0 255.255.255.0 domain-name lan.tingvold.com default-router 10.10.10.254 dns-server 10.10.10.200 option 42 ip 158.37.91.134 lease 7 ! ip dhcp pool labnett network 10.10.20.0 255.255.255.0 domain-name lab.tingvold.com default-router 10.10.20.254 dns-server 10.10.10.200 option 42 ip 158.37.91.134 lease 7 ! ip dhcp pool gjestenett network 10.10.30.0 255.255.255.0 domain-name gjest.tingvold.com default-router 10.10.30.254 dns-server 10.10.10.200 option 42 ip 158.37.91.134 lease 7 ! ip dhcp pool leilighet network 10.10.40.0 255.255.255.0 domain-name leilighet.tingvold.com default-router 10.10.40.254 dns-server 10.10.10.200 option 42 ip 158.37.91.134 lease 7 ! ip cef no ip bootp server ip domain name lan.tingvold.com ip inspect name INBOUND tcp router-traffic ip inspect name INBOUND udp router-traffic ip inspect name INBOUND icmp router-traffic ! ipv6 unicast-routing ipv6 cef ipv6 inspect tcp idle-time 57600 ipv6 inspect name V6_INBOUND udp ipv6 inspect name V6_INBOUND icmp ipv6 inspect name V6_INBOUND tcp ! username test password 7 ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 ! crypto isakmp client configuration group roflmao key keklolwtf domain local pool vpnclients acl VPN_TUNNEL include-local-lan netmask 255.255.255.0 ! crypto ipsec transform-set tr-null-sha esp-null esp-sha-hmac crypto ipsec transform-set tr-des-md5 esp-des esp-md5-hmac crypto ipsec transform-set tr-3des-md5 esp-3des esp-md5-hmac crypto ipsec transform-set tr-3des-sha esp-3des esp-sha-hmac crypto ipsec transform-set tr-aes-sha esp-aes esp-sha-hmac ! crypto dynamic-map vpnusers 1 description client-to-site set transform-set tr-aes-sha reverse-route ! crypto map cm-cryptomap client authentication list default crypto map cm-cryptomap isakmp authorization list default crypto map cm-cryptomap client configuration address respond crypto map cm-cryptomap 65000 ipsec-isakmp dynamic vpnusers ! interface FastEthernet0 description ALTIBOX bandwidth 10000 ip address dhcp ip access-group IPV4-INBOUND in ip access-group IPV4-OUTBOUND out no ip redirects no ip unreachables no ip proxy-arp ip nat enable ip inspect INBOUND out duplex auto speed auto no cdp enable crypto map cm-cryptomap ! interface FastEthernet1 description Local bandwidth 10000 ip address 10.10.10.254 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip nat enable duplex auto speed auto ipv6 address /64 ipv6 enable ! interface Vlan200 ip address 10.10.20.254 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ! interface Vlan300 ip address 10.10.30.254 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ! interface Vlan400 ip address 10.10.40.254 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ! ip local pool vpnclients 10.10.50.1 10.10.50.254 ip forward-protocol nd no ip http server no ip http secure-server ! ip nat source list NAT interface FastEthernet0 overload ! ip access-list standard SNMP permit 10.10.10.0 0.0.0.255 ! ip access-list extended IPV4-INBOUND deny ip host 0.0.0.0 any log-input deny ip 0.0.0.0 0.255.255.255 any log-input deny ip 10.0.0.0 0.255.255.255 any log-input deny ip 127.0.0.0 0.255.255.255 any log-input deny ip 169.254.0.0 0.0.255.255 any log-input deny ip 172.16.0.0 0.15.255.255 any log-input deny ip 192.0.0.0 0.0.0.255 any log-input deny ip 192.0.2.0 0.0.0.255 any log-input deny ip 192.88.99.0 0.0.0.255 any log-input deny ip 192.168.0.0 0.0.255.255 any log-input deny ip 198.51.100.0 0.0.0.255 any log-input deny ip 203.0.113.0 0.0.0.255 any log-input deny ip 224.0.0.0 31.255.255.255 any log-input deny ip host host log-input permit udp host eq bootps any log-input permit ip host host 85.200.43.63 deny udp any any eq rip log-input deny eigrp any any log-input deny ospf any any log-input deny tcp any any eq bgp log-input deny tcp any eq bgp any log-input permit icmp any any echo permit icmp any any echo-reply permit icmp any any packet-too-big permit icmp any any source-quench permit icmp any any time-exceeded deny icmp any any deny tcp any any eq 22 deny tcp any any eq telnet deny udp any host eq domain deny tcp any host eq domain deny udp any any eq tftp deny udp any any eq bootps deny udp any any eq ntp deny udp any any eq time deny tcp any any eq gopher deny tcp any any eq 87 deny tcp any any eq pop3 deny tcp any any eq smtp deny tcp any any eq sunrpc deny udp any any eq sunrpc deny tcp any any eq nntp deny udp any any eq snmptrap deny udp any any eq snmp deny tcp any any eq 135 deny tcp any any eq 137 deny tcp any any eq 138 deny tcp any any eq 139 permit tcp any any eq 443 permit tcp any any eq www permit tcp any any eq 990 permit udp any any eq isakmp permit udp any any eq non500-isakmp deny ip any any fragments ip access-list extended IPV4-OUTBOUND deny tcp any any eq smtp permit ip any any ip access-list extended NAT deny ip 10.10.10.0 0.0.0.255 10.10.50.0 0.0.0.255 deny ip 10.10.20.0 0.0.0.255 10.10.50.0 0.0.0.255 deny ip 10.10.30.0 0.0.0.255 10.10.50.0 0.0.0.255 deny ip 10.10.40.0 0.0.0.255 10.10.50.0 0.0.0.255 permit ip 10.10.10.0 0.0.0.255 any deny ip any any ip access-list extended VPN_TUNNEL permit ip 10.10.10.0 0.0.0.255 10.10.50.0 0.0.0.255 permit ip 10.10.20.0 0.0.0.255 10.10.50.0 0.0.0.255 permit ip 10.10.30.0 0.0.0.255 10.10.50.0 0.0.0.255 permit ip 10.10.40.0 0.0.0.255 10.10.50.0 0.0.0.255 deny ip any any ! ipv6 route ::/0 ! ipv6 access-list IPV6-INBOUND sequence 100 deny ipv6 host ::1 any deny ipv6 host :: any deny ipv6 ::/96 any deny ipv6 ::FFFF:0.0.0.0/96 any deny ipv6 FEC0::/10 any deny ipv6 FC00::/7 any deny ipv6 FF00::/8 any deny ipv6 FE80::/10 any sequence 1000 deny tcp any any eq 22 sequence 2000 permit icmp any any echo-reply permit icmp any any echo-request permit icmp any any packet-too-big permit icmp any any time-exceeded sequence 2100 deny icmp any any log-input sequence 3000 permit tcp any host eq www permit tcp any host eq 443 sequence 10000 deny ipv6 any any fragments ! ipv6 access-list IPV6-OUTBOUND sequence 200 deny tcp any any eq smtp sequence 10000 permit ipv6 any any !