gw1-nh#show run
Building configuration...


Current configuration : 9361 bytes
!
! Last configuration change at 07:10:38 UTC Wed Feb 20 2013 by jkam
! NVRAM config last updated at 07:02:54 UTC Wed Feb 20 2013 by jkam
! NVRAM config last updated at 07:02:54 UTC Wed Feb 20 2013 by jkam
version 15.1
service timestamps debug datetime msec localtime show-timezone year
service timestamps log datetime msec localtime show-timezone year
service password-encryption
no service password-recovery
!
hostname gw1-nh
!
boot-start-marker
boot-end-marker
!
!
logging buffered 4096
logging console informational
enable secret 4 w2pKqYgWP2bZO9N8BLTDEWjdoe.LZh7eHt0K7hfKjDM
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login userlist local
aaa authorization network RAVPN local 
!
!
!
!
!
aaa session-id common
!
!
dot11 syslog
ip source-route
ip dhcp excluded-address 192.168.255.10 192.168.255.30
ip dhcp excluded-address 10.4.254.2 10.4.254.100
ip dhcp excluded-address 10.4.254.200 10.4.254.254
ip dhcp excluded-address 10.4.253.200 10.4.253.254
ip dhcp excluded-address 10.4.252.200 10.4.252.250
ip dhcp excluded-address 192.168.2.98
ip dhcp excluded-address 192.168.2.120
!
ip dhcp pool VLAN_254
 network 10.4.254.0 255.255.255.0
 default-router 10.4.254.1 
 option 43 hex 0104.0a04.fefe
 dns-server 8.8.8.8 8.8.4.4 
!
ip dhcp pool VOIP
 network 10.4.253.0 255.255.255.0
 default-router 10.4.253.1 
 dns-server 8.8.8.8 8.8.4.4 
 option 66 ip 10.4.253.254 
 option 150 ip 10.4.253.254 
!
ip dhcp pool VLAN_252
 network 10.4.252.0 255.255.255.0
 default-router 10.4.252.1 
 dns-server 8.8.8.8 8.8.4.4 
!
ip dhcp pool AVID
 network 192.168.255.0 255.255.255.0
 default-router 192.168.255.1 
 dns-server 8.8.8.8 8.8.4.4 
!
ip dhcp pool RBDAVIES
 network 192.168.2.0 255.255.255.0
 default-router 192.168.2.1 
 dns-server 8.8.8.8 8.8.4.4 
!
!
!
ip cef
!
!
ip domain name jkamdigital.com
ip name-server 8.8.8.8
ip name-server 8.8.4.4
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
password encryption aes
voice-card 0
!
!
!
!
!
!
!
crypto pki token default removal timeout 0
!
!
!
!
license udi pid CISCO3825 sn FTX0926A4JN
username jkam privilege 15 secret 4 H//VgT48.7m1F77GtHjviUQEXo3.C.hSKclxrma6xkQ
username aleff privilege 0 secret 4 H//VgT48.7m1F77GtHjviUQEXo3.C.hSKclxrma6xkQ
username jbass privilege 0 secret 4 HCeRceGcRkTfPbQ8U0MH.cJQTMv0ePw91UV6t/TUd3o
username kgore privilege 0 secret 4 A6g.KR2lG1IAC9sMUg/6RfaO5nwI9e9kck3HPBOZsgc
username ebeauchamp privilege 0 secret 4 twMHiS6qhUf/rfJuIqhh6zPWwbSRvut7QVjZxnAKt4k
username mnelson privilege 0 secret 4 luSeObEBqS7m7Ux97dU4qPfW4iArF8KZI2sQnuwGcoU
!
redundancy
!
!
!
class-map type inspect match-any VOIP
 match access-group name SIP
 match access-group name RTP-MEDIA
class-map match-all VOIP-POLICER-CLASS
 match access-group name VOIP-POLICER-ACL
class-map type inspect match-any TCP-UDP-ICMP
 match protocol udp
 match protocol tcp
 match protocol icmp
class-map type inspect match-all IPERF-CLASS
 match access-group name IPERF
class-map type inspect match-all SMOKEPING-CLASS
 match access-group name SMOKEPING
class-map type inspect match-any RAVPN-CLASS
 match access-group name RAVPN-ACCESS
class-map match-all VOIP-SHAPER-CLASS
 match access-group name VOIP-SHAPER-ACL
!
!
policy-map type inspect TRUSTED_TO_UNTRUSTED
 class type inspect TCP-UDP-ICMP
  inspect 
 class class-default
  drop
policy-map type inspect UNTRUSTED_TO_TRUSTED
 class type inspect VOIP
  pass
 class type inspect IPERF-CLASS
  inspect 
 class class-default
  drop
policy-map VOIP-SHAPER-POLICY
 class VOIP-SHAPER-CLASS
  shape average 18000000
policy-map VOIP-POLICER-POLICY
 class VOIP-POLICER-CLASS
  police 16000000 conform-action transmit  exceed-action drop  violate-action drop 
!
zone security UNTRUSTED
zone security TRUSTED
zone-pair security TRUSTED->UNTRUSTED source TRUSTED destination UNTRUSTED
 service-policy type inspect TRUSTED_TO_UNTRUSTED
zone-pair security UNTRUSTED->TRUSTED source UNTRUSTED destination TRUSTED
 service-policy type inspect UNTRUSTED_TO_TRUSTED
! 
crypto keyring DVTI-PSK  
  pre-shared-key address 0.0.0.0 0.0.0.0 key 6 Z^POhEZLO_HHWaNYc]DeDQ[QeQXc\PFgV
crypto logging session
!
crypto isakmp policy 1
 encr aes 256
 hash sha256
 authentication pre-share
 group 2
!
crypto isakmp policy 2
 encr aes 256
 authentication pre-share
 group 2
!
crypto isakmp policy 3
 encr aes 256
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 4
 encr aes
 authentication pre-share
 group 2
!
crypto isakmp policy 5
 encr aes
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 6
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 20 5 periodic
crypto isakmp nat keepalive 30
crypto isakmp xauth timeout 60

!
crypto isakmp client configuration group RAVPN
 key 6 C`Da[H\DDBP[_ZKUgEAX\CVcRFeMUEWMJaRh
 dns 8.8.8.8 8.8.4.4
 domain jkamdigital.com
 pool RAVPN-POOL
 acl RAVPN-SPLITTUNNEL
 save-password
crypto isakmp profile RAVPN-DVTI_ISAKMP-PROFILE
   keyring DVTI-PSK
   match identity address 0.0.0.0 
   virtual-template 1
crypto isakmp profile RAVPN-EZVPN_ISAKMP-PROFILE
   match identity group RAVPN
   client authentication list userlist
   isakmp authorization list RAVPN
   client configuration address respond
   virtual-template 100
!
!
crypto ipsec transform-set ESP-AES256-SHA256 esp-aes 256 esp-sha256-hmac 
crypto ipsec transform-set ESP-AES256-SHA1 esp-aes 256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
!
crypto ipsec profile RAVPN-DVTI_IPSEC-PROFILE
 set transform-set ESP-AES256-SHA1 
 set isakmp-profile RAVPN-DVTI_ISAKMP-PROFILE
!
crypto ipsec profile RAVPN-EZVPN_IPSEC-PROFILE
 set transform-set ESP-AES256-SHA1 
 set isakmp-profile RAVPN-EZVPN_ISAKMP-PROFILE
!
!
!
!
!
!
!
!
interface Loopback0
 description ### OSPF LOOPBACK ###
 ip address 10.5.255.1 255.255.255.0
!
interface Tunnel100
 description Hurricane Electric IPv6 Tunnel Broker
 no ip address
 zone-member security TRUSTED
 shutdown
 ipv6 address 2001:470:C:903::2/127
 ipv6 enable
 tunnel source 108.60.36.6
 tunnel mode ipv6ip
 tunnel destination 66.220.18.42
!
interface GigabitEthernet0/0
 description ### TO BB1-NH ###
 bandwidth 20000
 ip address 10.4.255.1 255.255.255.252
 ip nat inside
 ip virtual-reassembly in
 zone-member security TRUSTED
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/1
 description ### Internet Access BelAirInternet 108.60.36.0/29 ###
 bandwidth 20000
 ip address 108.60.36.6 255.255.255.248
 ip nat outside
 ip virtual-reassembly in
 zone-member security UNTRUSTED
 load-interval 30
 duplex auto
 speed auto
 media-type rj45
 service-policy input VOIP-POLICER-POLICY
 service-policy output VOIP-POLICER-POLICY
!
interface Virtual-Template1 type tunnel
 description ### Dynamic VTI tunnel interface for hardware router/firewall spokes ###
 ip unnumbered Loopback0
 zone-member security TRUSTED
 ip ospf mtu-ignore
 tunnel source GigabitEthernet0/1
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile RAVPN-DVTI_IPSEC-PROFILE
!
interface Virtual-Template100 type tunnel
 description ### Dynamic VTI tunnel interface for terminating EZVPN software clients (e.g. OS X / iphone / Android) ###
 ip unnumbered GigabitEthernet0/0
 zone-member security TRUSTED
 tunnel source GigabitEthernet0/1
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile RAVPN-EZVPN_IPSEC-PROFILE
!
router ospf 1
 redistribute static subnets
 passive-interface GigabitEthernet0/1
 network 10.0.0.0 0.255.255.255 area 0
 default-information originate
!
ip local pool RAVPN-POOL 10.4.255.129 10.4.255.254
ip forward-protocol nd
!
ip flow-top-talkers
 top 20
 sort-by bytes
 match direction ingress
!
no ip http server
no ip http secure-server
no ip nat service sip udp port 5060
ip nat inside source list PAT interface GigabitEthernet0/1 overload
ip nat inside source static 10.4.253.254 108.60.36.4
ip nat inside source static tcp 10.4.252.51 5001 108.60.36.6 5001 extendable
ip route 0.0.0.0 0.0.0.0 108.60.36.1
!
ip access-list extended IPERF
 permit tcp any any eq 5001
ip access-list extended PAT
 permit ip 10.4.0.0 0.0.255.255 any
 permit ip 192.168.2.0 0.0.0.255 any
 permit ip 192.168.255.0 0.0.0.255 any
ip access-list extended RAVPN-ACCESS
 permit ip 10.4.255.128 0.0.0.127 10.4.0.0 0.0.255.255
 permit ip 10.4.255.128 0.0.0.127 192.168.255.0 0.0.0.255
ip access-list extended RAVPN-SPLITTUNNEL
 permit ip 10.4.0.0 0.0.255.255 10.4.255.128 0.0.0.127
 permit ip 192.168.255.0 0.0.0.255 10.4.255.128 0.0.0.127
ip access-list extended RTP-MEDIA
 permit udp any range 1024 65535 host 10.4.253.254 range 10000 32767
ip access-list extended SIP
 permit udp any any eq 5060
ip access-list extended VOIP-POLICER-ACL
 permit tcp any any
ip access-list extended VOIP-SHAPER-ACL
 permit tcp any any
!
access-list 1 permit 10.0.0.0 0.255.255.255
!
!
!
!
snmp-server community JKAM-SNMP RO 1
snmp-server ifindex persist
!         
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 privilege level 15
 transport input ssh
line vty 5 15
 privilege level 15
 transport input ssh
!
scheduler allocate 20000 1000
ntp master 4
ntp server 2.pool.ntp.org
ntp server 3.pool.ntp.org
ntp server 0.pool.ntp.org
ntp server 1.pool.ntp.org
end