esr-10# sh run 
ip firewall sessions counters
object-group service ssh
  port-range 22
exit
object-group service dhcp_server
  port-range 67
exit
object-group service dhcp_client
  port-range 68
exit
object-group service ntp
  port-range 123
exit
object-group service OBJ_SVC_VPN
  port-range 500
  port-range 4500
exit

object-group network OBJ_NET_STATIC_IP
  ip prefix 91.240.179.240/32
exit
object-group network OBJ_NET_USERS
  ip prefix 10.99.0.0/24
exit

syslog max-files 3
syslog file-size 512
syslog sequence-numbers
syslog file tmpsys:syslog/default
  severity info
exit
syslog file tmpsys:syslog/syslog
  severity info
exit

username admin
  password encrypted $6$UWb.ZOkNM8ON58/F$YmUxwngy50F9A1s.pckLMJ1Uoe.ZvjmTYTo4ULSYSqoBgdH7Znlb9vmiyv3L4waomDYncyzH1T1M8Tm0wVXoA.
exit
username techsupport
  password encrypted $6$MRHOnalF2IZoZ9ki$H38x5vfi52u3yn4KSpkK5LTCI/UfRg2vfqFh6F29/53V4d8LcnQAAjRegqhRRXdeuE2Z.n4lgm7aej3eMng6F1
exit
aaa authentication mode break
aaa authentication login CONSOLE radius local
aaa authentication login SSH radius local
aaa authentication enable default radius enable
radius-server host 10.4.0.248
  key ascii-text encrypted A9B020579B141DFFB0269F00275C72E9
exit
line console
  login authentication CONSOLE
exit
line ssh
  login authentication SSH
exit

tech-support login enable
system jumbo-frames
system config-confirm timeout 120

boot host auto-config
boot host auto-update
vlan 2
exit

no spanning-tree

security zone LAN
exit
security zone WAN
exit
security zone VPN
exit

route-map RM_BGP_OUT
  rule 10
  exit
exit
router bgp 64556
  peer-group PG_BGP_P11
    remote-as 64513
    graceful-restart
    route-map RM_BGP_OUT out
  exit
  neighbor 172.30.2.1
    peer-group PG_BGP_P11
    address-family ipv4 unicast
      enable
    exit
    enable
  exit
  neighbor 172.30.2.2
    peer-group PG_BGP_P11
    address-family ipv4 unicast
      enable
    exit
    enable
  exit
  address-family ipv4 unicast
    network 10.99.0.0/24
  exit
  enable
exit


interface gigabitethernet 1/0/1.1100
  description "WAN"
  security-zone WAN
  ip address 91.240.179.240/24
exit
interface gigabitethernet 1/0/2
  mode switchport
exit
interface gigabitethernet 1/0/3
  mode switchport
exit
interface gigabitethernet 1/0/4
  security-zone LAN
  ip address 10.99.0.254/24
exit
interface gigabitethernet 1/0/5
  mode switchport
exit
interface gigabitethernet 1/0/6
  mode switchport
  switchport access vlan 2
exit
interface loopback 8
  ip address 1.1.1.1/32
  ip address 10.255.99.1/32
exit
tunnel gre 1
  key 1001
  mtu 1400
  multipoint
  security-zone VPN
  local address 91.240.179.240
  ip address 172.30.1.76/24
  ip tcp adjust-mss 1360
  ip nhrp authentication encrypted B18B2823930318AA
  ip nhrp holding-time 300
  ip nhrp map 172.30.1.2 78.85.13.42
  ip nhrp map 172.30.1.1 85.140.32.27
  ip nhrp nhs 172.30.1.1/24
  ip nhrp nhs 172.30.1.2/24
  ip nhrp ipsec IPSEC_VPN_HUB static
  ip nhrp ipsec IPSEC_VPN_SPOKE dynamic
  ip nhrp multicast nhs
  ip nhrp enable
  enable
exit
tunnel gre 2
  key 1002
  mtu 1400
  multipoint
  security-zone VPN
  local address 91.240.179.240
  ip address 172.30.2.76/24
  ip tcp adjust-mss 1360
  ip nhrp authentication encrypted B18B2823930318A9
  ip nhrp holding-time 300
  ip nhrp map 172.30.2.1 5.227.124.143
  ip nhrp map 172.30.2.2 78.85.13.93
  ip nhrp nhs 172.30.2.1/24
  ip nhrp nhs 172.30.2.2/24
  ip nhrp ipsec IPSEC_VPN_HUB static
  ip nhrp ipsec IPSEC_VPN_SPOKE dynamic
  ip nhrp multicast nhs
  ip nhrp enable
  enable
exit

snmp-server
snmp-server community "lmTUEsk6Yvlv" ro 

security zone-pair LAN WAN
  rule 10
    description "ANY"
    action permit
    enable
  exit
exit
security zone-pair LAN VPN
  rule 10
    description "ANY"
    action permit
    enable
  exit
exit
security zone-pair VPN LAN
  rule 10
    description "ANY"
    action permit
    enable
  exit
exit
security zone-pair LAN self
  rule 1
    action permit
    enable
  exit
  rule 2
  exit
exit
security zone-pair WAN self
  rule 1
    description "GRE"
    action permit
    match protocol gre
    enable
  exit
  rule 2
    description "ISAKMP"
    action permit
    match protocol udp
    match destination-port OBJ_SVC_VPN
    enable
  exit
  rule 3
    description "ESP"
    action permit
    match protocol esp
    enable
  exit
  rule 10
    description "ICMP"
    action permit
    match protocol icmp
    enable
  exit
exit
security zone-pair VPN self
  rule 10
    description "ANY"
    action permit
    enable
  exit
exit

security ike proposal IKE_PROP_1
  encryption algorithm aes128
  dh-group 2
exit

security ike policy IKE_POL_1
  pre-shared-key ascii-text encrypted 91B8083FE00447F6D804
  proposal IKE_PROP_1
exit

security ike gateway IKE_GW_HUB
  ike-policy IKE_POL_1
  local address 91.240.179.240
  local network 91.240.179.240/32 protocol gre 
  remote address any
  remote network 78.85.13.42/32 protocol gre 
  remote network 85.140.32.27/32 protocol gre 
  remote network 5.227.124.143/32 protocol gre 
  remote network 78.85.13.93/32 protocol gre 
  mode policy-based
exit

security ike gateway IKE_GW_SPOKE
  ike-policy IKE_POL_1
  local address 91.240.179.240
  local network 91.240.179.240/32 protocol gre 
  remote address any
  remote network any protocol gre 
  mode policy-based
exit

security ipsec proposal IPSEC_PROP_1
  encryption algorithm aes128
exit

security ipsec policy IPSEC_POL_HUB_1
  proposal IPSEC_PROP_1
exit

security ipsec vpn IPSEC_VPN_HUB
  mode ike
  ike establish-tunnel route
  ike gateway IKE_GW_HUB
  ike ipsec-policy IPSEC_POL_HUB_1
  enable
exit

security ipsec vpn IPSEC_VPN_SPOKE
  mode ike
  ike establish-tunnel route
  ike gateway IKE_GW_SPOKE
  ike ipsec-policy IPSEC_POL_HUB_1
  enable
exit

security passwords default-expired
nat source
  ruleset SNAT
    to zone WAN
    rule 10
      match source-address OBJ_NET_USERS
      action source-nat interface
      enable
    exit
  exit
exit

ip dhcp-server pool lan-pool
  network 192.168.1.0/24
  address-range 192.168.1.2-192.168.1.254
  default-router 192.168.1.1
exit

ip route 0.0.0.0/0 91.240.179.254
ip route 10.99.0.0/24 blackhole 254
ip route 9.9.9.9/32 91.240.179.254 track 1 name track_route

ip sla logging level error
ip sla

ip sla logging

ip sla test 1
  icmp-echo 8.8.8.8 source-ip 91.240.179.240
exit
ip sla test 2
  icmp-echo 10.255.99.1 source-ip 10.99.0.254
exit

ip sla schedule 1 life forever start-time now
ip sla schedule 2 life forever start-time now

ip ssh server
ip ssh authentication algorithm md5 disable
ip ssh authentication algorithm md5-96 disable
ip ssh authentication algorithm ripemd160 disable
ip ssh authentication algorithm sha1 disable
ip ssh authentication algorithm sha1-96 disable
ip ssh encryption algorithm aes128 disable
ip ssh encryption algorithm aes128ctr disable
ip ssh encryption algorithm aes192 disable
ip ssh encryption algorithm aes192ctr disable
ip ssh encryption algorithm arcfour disable
ip ssh encryption algorithm arcfour128 disable
ip ssh encryption algorithm arcfour256 disable
ip ssh encryption algorithm blowfish disable
ip ssh encryption algorithm cast128 disable
ip ssh key-exchange algorithm dh-group-exchange-sha1 disable
ip ssh key-exchange algorithm dh-group1-sha1 disable
ip ssh key-exchange algorithm dh-group14-sha1 disable
ip ssh key-exchange algorithm ecdh-sha2-nistp256 disable
ip ssh key-exchange algorithm ecdh-sha2-nistp384 disable
ip ssh key-exchange algorithm ecdh-sha2-nistp521 disable

clock timezone gmt +4

ntp enable
ntp broadcast-client enable
ntp server 10.1.8.2
  minpoll 4
exit
ntp server 10.1.8.1
  minpoll 4
exit

track 1
  track sla test 1
  track sla test 2
exit
esr-10#
