! Cisco IOS XE Software, Version 16.06.02
! 
! Image: Software: X86_64_LINUX_IOSD-UNIVERSALK9_IAS-M, 16.6.2, RELEASE SOFTWARE (fc2)
! Image: Compiled: Wed 01-Nov-17 07:29 by mcpre
! Image: bootflash:isr4200-universalk9_ias.16.06.02.SPA.bin
! Chassis type: ISR4221/K9
! Memory: main 1796877K/6147K
! Processor ID: FGL220591XP
! CPU: 1RU
! Memory: nvram 32768K
! Memory: flash 6598655K
! 
! VTP: VTP Version capable             : 1 to 3
! VTP: VTP version running             : 1
! VTP: VTP Domain Name                 : 
! VTP: VTP Pruning Mode                : Disabled
! VTP: VTP Traps Generation            : Disabled
! VTP: Device ID                       : 28ac.9e3d.93d0
! VTP: Local updater ID is 69.14.12.62 on interface Gi0/0/0 (first layer3 interface found)
! VTP: Feature VLAN:
! VTP: --------------
! VTP: VTP Operating Mode                : Server
! VTP: Maximum VLANs supported locally   : 64
! VTP: Number of existing VLANs          : 5
! VTP: Configuration Revision            : 0
! VTP: MD5 digest                        : 0x57 0xCD 0x40 0x65 0x63 0x59 0x47 0xBD 
! VTP:                                     0x56 0x9D 0x4A 0x3E 0xA5 0x69 0x35 0xBC 
! 
! 
! +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
! INFO: Please use "show license UDI" to get serial number for licensing.
! +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
! 
! NAME: "Chassis", DESCR: "Cisco ISR4221 Chassis"
! PID: ISR4221/K9        , VID: V02  , SN: FGL220591XP
! 
! NAME: "Power Supply Module 0", DESCR: "90W AC Power Supply for Cisco ISR 4220"
! PID: PWR-4220-AC       , VID:      , SN:            
! 
! NAME: "Fan Tray", DESCR: "Cisco ISR4220 Fan Assembly"
! PID: ACS-4220-FANASSY  , VID:      , SN:            
! 
! NAME: "module 0", DESCR: "Cisco ISR4221 Built-In NIM controller"
! PID: ISR4221/K9        , VID:      , SN:            
! 
! NAME: "NIM subslot 0/0", DESCR: "Front Panel 2 ports Gigabitethernet Module"
! PID: ISR4221-2x1GE     , VID: V01  , SN:            
! 
! NAME: "module R0", DESCR: "Cisco ISR4221 Route Processor"
! PID: ISR4221/K9        , VID: V02  , SN: FOC22034VZ4
! 
! NAME: "module F0", DESCR: "Cisco ISR4221 Forwarding Processor"
! PID: ISR4221/K9        , VID:      , SN:            
! 
! 
!
! Last configuration change at 14:19:09 UTC Sat Jun 27 2026 by tim2
! NVRAM config last updated at 02:00:02 UTC Sun Jun 28 2026
!
version 16.6
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname timsablabRouter.timsablab.ddns.net
!
boot-start-marker
boot system flash :isr4200-universalk9_ias.16.06.02.SPA.bin
boot-end-marker
!
shell processing full
!
enable secret 5 $1$mUKO$0fVjeVAXELiUG8LMGeG140
!
aaa new-model
!
!
aaa group server tacacs+ TACACS-GROUP
 server name TACACS-SERVER
!
aaa group server radius RADIUS-GROUP
 server name RADIUS-SERVER
!
aaa authentication login default group tacacs+ group radius local
aaa accounting exec default start-stop group tacacs+
!
!
!
!
!
!
aaa session-id common
!
ip host adtran 192.168.99.13
ip host basement_switch 192.168.99.3
ip host basementswitch 192.168.99.3
ip host ciscoRouter 192.168.99.6
ip host layer3swtich 192.168.99.2
ip host livingroom_switch 192.168.99.4
ip host livingroomswitch 192.168.99.4
ip host mikrotik 192.168.99.1
ip host newBoysBedrromSwitch 192.168.99.15
ip host newLivingroomSwitch 192.168.99.14
ip host nexusSwitch 192.168.99.5
ip host officeSwitch 192.168.99.16
ip host pfSense 192.168.99.7
ip host timsablabLayer3Switch 192.168.99.2
no ip domain lookup
ip domain name timsablab.ddns.net
!
!
!
!
!
!
!
!
!
!
subscriber templating
! 
! 
! 
! 
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
license udi pid ISR4221/K9 sn FGL220591XP
license boot level securityk9
diagnostic bootup level minimal
spanning-tree extend system-id
!
!
!
username admin privilege 15 secret 5 $1$X3z/$DSG9mdp8LbNksuF/.0BhV.
username sabrina privilege 15 secret 5 $1$klDl$576FNyorI7BwIWsu8zjQc.
username thatcher privilege 15 secret 5 $1$qD80$QtsqupH/6ohxuEDyRL7TI/
username merrick privilege 15 secret 5 $1$n8Km$7zld9.KmfLAv8HDFIE4xX1
username gp privilege 15 secret 5 $1$E89O$KY9Kcic23LdIx/G0CTSHr.
username nanna privilege 15 secret 5 $1$ED/V$sO07KJgite8jR6OmyP5Ac0
username grandpa privilege 15 secret 5 $1$xdj3$nezFdys6KZGQaTClV9sid1
username lola privilege 15 secret 5 $1$R.Wn$ovf8MXFRvUzIjutvSWvwZ/
username tim2 privilege 15 secret 5 $1$9l.4$lfilNYsbVjQ4BcaGkT5P0.
!
redundancy
 mode none
!
!
!
!
!
!
track 1 ip sla 1 reachability
!
lldp run
!
class-map type inspect match-any CM-OUTSIDE-TO-INSIDE-ALLOWED
 match access-group name OUTSIDE_TO_INSIDE_ALLOWED
class-map type inspect match-any CM-INTERNET
 match protocol dns
 match protocol http
 match protocol https
 match protocol icmp
 match protocol ntp
 match protocol ssh
!
policy-map type inspect PM-OUTSIDE-TO-INSIDE
 class type inspect CM-OUTSIDE-TO-INSIDE-ALLOWED
  pass
 class class-default
  drop log
policy-map type inspect PM-INSIDE-TO-OUTSIDE
 class type inspect CM-INTERNET
  inspect
 class class-default
  pass
!
zone security INSIDE
zone security OUTSIDE
zone-pair security ZP-IN-OUT source INSIDE destination OUTSIDE
 service-policy type inspect PM-INSIDE-TO-OUTSIDE
zone-pair security ZP-OUT-IN source OUTSIDE destination INSIDE
 service-policy type inspect PM-OUTSIDE-TO-INSIDE
! 
!
!
!
!
!
!
crypto isakmp policy 10
 encr aes 256
 hash sha256
 authentication pre-share
 group 14
 lifetime 28800
crypto isakmp key Joshua3412@ address 192.168.99.1   
crypto isakmp key Joshua3412@ address 192.168.99.7   
crypto isakmp keepalive 10 5 periodic
crypto isakmp nat keepalive 30
!
!
crypto ipsec transform-set TS-AES256-SHA256 esp-aes 256 esp-sha256-hmac 
 mode tunnel
!
crypto ipsec profile GRE-IPSEC-MT
 set transform-set TS-AES256-SHA256 
 set pfs group14
!
crypto ipsec profile GRE-IPSEC-PF
 set transform-set TS-AES256-SHA256 
 set pfs group14
!
!
!
!
!
!
!
! 
! 
!
!
interface Loopback1
 ip address 1.1.1.1 255.255.255.255
!
interface Tunnel10
 description GRE-over-IPsec to MikroTik
 ip address 10.10.11.1 255.255.255.252
 ip mtu 1400
 ip tcp adjust-mss 1360
 tunnel source GigabitEthernet0/0/1.99
 tunnel destination 192.168.99.1
 tunnel protection ipsec profile GRE-IPSEC-MT
!
interface Tunnel20
 description GRE-over-IPsec to pfSense
 ip address 10.10.20.1 255.255.255.252
 ip mtu 1400
 ip tcp adjust-mss 1360
 tunnel source GigabitEthernet0/0/1.99
 tunnel destination 192.168.99.7
 tunnel protection ipsec profile GRE-IPSEC-PF
!
interface GigabitEthernet0/0/0
 ip address dhcp
 ip nat outside
 ip access-group WAN-SELF-PROTECT in
 zone-member security OUTSIDE
 negotiation auto
!
interface GigabitEthernet0/0/1
 description Uplink TO Layer 3 Switch
 no ip address
 negotiation auto
!
interface GigabitEthernet0/0/1.99
 encapsulation dot1Q 99
 ip address 192.168.99.6 255.255.255.0
 ip nat inside
 zone-member security INSIDE
 ip ospf priority 170
 ip ospf mtu-ignore
 vrrp 1 ip 192.168.99.254
 vrrp 1 track 1 decrement 50
!
router ospf 1
 router-id 1.1.1.1
 passive-interface default
 no passive-interface GigabitEthernet0/0/1.99
 network 1.1.1.1 0.0.0.0 area 0
 network 192.168.99.0 0.0.0.255 area 0
!
router bgp 65002
 bgp router-id 1.1.1.1
 bgp log-neighbor-changes
!
no ip nat service sip udp port 5060
ip nat inside source static tcp 192.168.30.103 993 interface GigabitEthernet0/0/0 993
ip nat inside source static tcp 192.168.30.103 465 interface GigabitEthernet0/0/0 465
ip nat inside source static tcp 192.168.30.103 25 interface GigabitEthernet0/0/0 25
ip nat inside source static tcp 192.168.100.10 443 interface GigabitEthernet0/0/0 443
ip nat inside source static tcp 192.168.100.10 80 interface GigabitEthernet0/0/0 80
ip nat inside source static udp 192.168.142.42 5060 interface GigabitEthernet0/0/0 5060
ip nat inside source static udp 192.168.30.2 1194 interface GigabitEthernet0/0/0 1194
ip nat inside source list NAT_INSIDE interface GigabitEthernet0/0/0 overload
ip forward-protocol nd
no ip http server
ip http access-class ipv4 MGMT-VTY
ip http authentication local
no ip http secure-server
ip http path flash:
ip route 192.168.20.0 255.255.255.0 192.168.99.2
ip route 192.168.40.0 255.255.255.0 192.168.99.2
ip route 192.168.142.0 255.255.255.0 192.168.99.2
ip route 192.168.232.0 255.255.255.0 192.168.99.2
ip route 192.168.242.0 255.255.255.0 192.168.99.2
ip route 0.0.0.0 0.0.0.0 dhcp
!
ip ssh authentication-retries 5
ip ssh version 2
ip ssh pubkey-chain
  username tim2
   key-hash ssh-rsa 7D49CD6B028AC718ADB53E43CBBE2524
ip ssh server algorithm mac hmac-sha1 hmac-sha1-96
ip ssh server algorithm encryption aes128-cbc aes192-cbc aes256-cbc 3des-cbc
ip ssh server algorithm hostkey ssh-rsa
!
!
ip access-list standard MGMT-VTY
 permit 192.168.99.0 0.0.0.255
 permit 10.0.30.0 0.0.0.255
 permit 172.31.255.0 0.0.0.3
 deny   any
ip access-list standard NAT_INSIDE
 permit 192.168.20.0 0.0.0.255
 permit 192.168.30.0 0.0.0.255
 permit 192.168.40.0 0.0.0.255
 permit 192.168.99.0 0.0.0.255
 permit 192.168.100.0 0.0.0.255
 permit 192.168.132.0 0.0.0.255
 permit 192.168.142.0 0.0.0.255
 permit 192.168.160.0 0.0.0.255
 permit 192.168.202.0 0.0.0.255
 permit 192.168.232.0 0.0.0.255
 permit 192.168.242.0 0.0.0.255
!
ip access-list extended OUTSIDE_TO_INSIDE_ALLOWED
 permit udp any any eq 1194
 permit udp any any eq 5060
 permit tcp any any eq www
 permit tcp any any eq 443
 permit tcp any any eq smtp
 permit tcp any any eq 465
 permit tcp any any eq 993
 permit tcp any any eq 587
ip access-list extended WAN-SELF-PROTECT
 remark Allow DHCP client replies
 permit udp any eq bootps any eq bootpc
 remark Allow public forwarded services
 permit udp any any eq 1194
 permit udp any any eq 5060
 permit tcp any any eq www
 permit tcp any any eq 443
 permit tcp any any eq smtp
 permit tcp any any eq 465
 permit tcp any any eq 587
 permit tcp any any eq 993
 remark Allow basic ICMP troubleshooting
 permit icmp any any echo-reply
 permit icmp any any time-exceeded
 permit icmp any any unreachable
 remark Block public control-plane noise to router
 deny   udp any any eq snmp log
 deny   udp any any eq snmptrap log
 deny   udp any any eq ntp log
 deny   udp any any eq 1645 log
 deny   udp any any eq 1646 log
 deny   udp any any eq 1812 log
 deny   udp any any eq 1813 log
 deny   udp any any eq isakmp log
 deny   udp any any eq non500-isakmp log
 deny   tcp any any eq 22 log
 deny   tcp any any eq telnet log
 permit ip any any
ip sla 1
 icmp-echo 67.149.139.23
 frequency 5
ip sla schedule 1 life forever start-time now
kron occurrence daily-backup at 2:00 recurring
 policy-list backup-config
!
kron policy-list backup-config
 cli write memory
 cli copy running-config tftp://192.168.40.100/timsablabRouter.cfg
!
access-list 10 permit 192.168.99.43
access-list 10 permit 192.168.99.184
access-list 20 permit 192.168.99.0 0.0.0.255
!
!
snmp-server community timsablabSNMP RO 10
snmp-server location Rack-1-basement
snmp-server contact tjohnson@123.net
tacacs server TACACS-SERVER
 address ipv4 192.168.30.101
 key 7 12330A041A1E0D577E7A7608
!
!
!
radius server RADIUS-SERVER
 address ipv4 192.168.99.43 auth-port 1812 acct-port 1813
 key 7 132F1801031905797F757A13
!
!
control-plane
!
banner login ^C
*******************************************************************************
*                         Welcome to TimSabLab Router                         *
*             Authorized Access Only b
 Violators Will Be Prosecuted           *
*******************************************************************************
^C
alias exec audit show ip int brief
!
line con 0
 exec-timeout 0 0
 logging synchronous
 transport input none
 stopbits 1
line vty 0 4
 access-class MGMT-VTY in
 exec-timeout 0 0
 privilege level 15
 length 0
 transport input ssh
line vty 5 15
 access-class MGMT-VTY in
 exec-timeout 0 0
 privilege level 15
 length 0
 transport input ssh
!
ntp access-group peer 20
ntp server 192.168.99.1
!
end