service password-encryption

username admin privilege 15 password N3tw0rkm@st3r

aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+
aaa authentication ppp default group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa accounting exec default
aaa accounting network default
tacacs-server host 172.16.111.88
tacacs-server key cisco@0211
ip tacacs source-interface vlan 1

============================
//add entry in ACS Server against Branch Vlan 1 IP Address.

//ip ssh retries 3 | ip ssh authentication-retries 3

ip ssh version 2
ip ssh authentication-retries 3

ip ssh time-out 10

line console 0
password n3tw0rkm@st3r

line vty 0 4
transport input ssh telnet

no line vty 5 15
no ip domain-lookup
no ip http server
no ip http access-class 23
no ip http authentication local
no ip http secure-server
no ip http timeout-policy idle 60 life 86400 requests 10000

logging source-interface Vlan 1

clock timezone GMT +5

//branch router config for NTP

no ntp server 172.16.111.125

ntp server 172.16.111.5

ntp source vlan1

banner login ^C
WARNING!!!*** Railway Rd Sheikhupura ***ACCESS IS RESTRICTED TO AUTHORIZED
PERSONNEL ONLY**
***************************************************************************
*
 * WARNING:
* THIS SYSTEM IS FOR THE USE OF AUTHORIZED USERS ONLY!
* INDIVIDUALS USING THE COMPUTER NETWORK SYSTEM WITHOUT
* AUTHORIZATION, OR IN EXCESS OF THEIR AUTHORIZATION, ARE
* SUBJECT TO HAVING ALL THEIR ACTIVITY ON THIS COMPUTER
* NETWORK SYSTEM MONITORED AND RECORDED BY SYSTEM
* PERSONNEL.
* ACCESS IS RESTRICTED TO AUTHORIZED USERS ONLY!
**************************************************************************
^C

line con 0
password N3tw0rkm@st3r
line aux 0
no exec

no snmp server
ip domain name bop.com.pk
no ip bootp server
no service dhcp
service tcp-keepalives-in
no service pad
no ip source-route

+++++++++++++++++=====================
IN VPN
//sh run | i HO-
// sh run cryp map | i 'tunnel no'
no crypto map BOPVPN1 94 match address HO-0040
no crypto map BOPVPN1 94 set peer 10.0.4.0
no crypto map BOPVPN1 94 set ikev1 transform-set TSET

crypto map BOPVPN1 94 match address HO-0040

crypto map BOPVPN1 94 set peer 10.0.4.0
crypto map BOPVPN1 94 set ikev1 transform-set TSET4

===========================================================
IN ROUTER

//crypto isakmp policy 10

//hash sha
//authentication pre-share
//group 2

crypto ipsec transform-set tset4 esp-aes esp-sha-hmac

crypto map smap 10 ipsec-isakmp

set transform-set tset4

no crypto ipsec transform-set tset esp-des esp-md5-hmac

\\\\\if online problem \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

crypto ipsec transform-set tset5 esp-3des esp-sha-hmac

in VPN -----
//sh run | i HO-
// sh run cryp map | i 'tunnel no'
no crypto map BOPVPN1 94 match address HO-0040
no crypto map BOPVPN1 94 set peer 10.0.4.0
no crypto map BOPVPN1 94 set ikev1 transform-set TSET

crypto map BOPVPN1 94 match address HO-0040

crypto map BOPVPN1 94 set peer 10.0.4.0
crypto map BOPVPN1 94 set ikev1 transform-set TSET4

in router -------

crypto map smap 10 ipsec-isakmp

no set transform-set tset

set transform-set tset4

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

IN ROUTER
ip access-list extended ssh+telnet
10 permit tcp host 172.16.111.14 any range 22 23
20 permit tcp host 172.16.111.9 any range 22 23
30 permit tcp host 172.16.111.35 any range 22 23
30 permit tcp host 172.16.111.220 any range 22 23
40 permit tcp host 172.16.111.80 any range 22 23
60 permit tcp host 172.16.111.61 any range 22 23
70 permit tcp host 172.16.119.60 any range 22 23
80 permit tcp host 172.16.119.62 any range 22 23
80 permit tcp host 172.16.111.188 0.0.0.3 any
90 permit tcp 192.168.211.0 0.0.0.31 any
//as per branch LAN IP
line vty 0 4
access-class ssh+telnet in

\\\\\\\\\\\\\\\\\

**********Baseline configurations*******************

1)
crypto isakmp policy 10
encryption aes 128
hash sha
exit

no line vty 5 15
no ip domain-lookup
no ip http server
no ip http access-class 23
no ip http authentication local
no ip http secure-server
no ip http timeout-policy idle 60 life 86400 requests 10000

ip access-list extended ssh+telnet

no 90
90 permit tcp 192.168.X.0 0.0.0.31(or 0.0.0.255 depending on the already done
configurations) any

4)confirmation of tset4

crypto ipsec transform-set tset4 esp-aes esp-sha-hmac

5) if on tset5:
write in excel sheet

*************************************************************

tset4 to tset

crypto ipsec transform-set tset esp-des esp-md5-hmac

no crypto ipsec transform-set tset4 esp-aes esp-sha-hmac

crypto map smap 10 ipsec-isakmp

no set transform-set tset4
set transform-set tset