Cisco 7604 Configuration Guide - Page 529
crypto map, tunnel group, telnet, Step 2
View all Cisco 7604 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 529 highlights
Chapter 23 Configuring Management Access Allowing a VPN Management Connection Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 The priority specifies the order in which multiple commands are evaluated. If you have a command that specifies one set of transforms, and another that specifies others, then the priority number determines the command that is evaluated first. To assign the dynamic crypto map (from Step 1) to a static tunnel, enter the following command: hostname(config)# crypto map crypto_map_name priority ipsec-isakmp dynamic dynamic_map_name To specify the interface at which you want the client tunnels to terminate, enter the following command: hostname(config)# crypto map crypto_map_name interface interface_name You can apply only one crypto map name to an interface, so if you want to terminate both a site-to-site tunnel and VPN clients on the same interface, they need to share the same crypto map name. To specify the range of addresses that VPN clients use on the FWSM, enter the following command: hostname(config)# ip local pool pool_name first_ip_address-last_ip_address [mask mask] All tunneled packets from the client use one of these addresses as the source address. To specify the traffic that is destined for the FWSM, so you can tunnel only that traffic according to the tunnel group command in Step 7, enter the following command: hostname(config)# access-list acl_name [extended] permit {protocol} host fwsm_interface_address pool_addresses mask This access list identifies traffic from the local pool (see Step 4) destined for the FWSM interface. See the "Adding an Extended Access List" section on page 13-6 for more information about access lists. To assign the VPN address pool to a tunnel group, enter the following command: hostname(config)# tunnel-group name general-attributes address-pool pool_name This group specifies VPN characteristics for connecting clients. When a client connects to the FWSM, they need to enter the tunnel group name and password in Step 8. To specify that only traffic destined for the FWSM is tunneled, enter the following commands: hostname(config)# group-policy name attributes hostname(config-group-policy)# split-tunnel-policy tunnelall Note This command is required. Step 8 Step 9 To set the VPN group password, enter the following command: hostname(config)# group-policy group_name external server-group server_group_name password server_password To allow Telnet or SSH access, see the "Allowing Telnet Access" section on page 23-1 and the "Allowing SSH Access" section on page 23-2. Specify the VPN pool addresses in the telnet and ssh commands. For example, the following commands allow VPN clients to use Telnet on the outside interface (209.165.200.225). The user authentication is the local database, so users with the tunnel group name and password, as well as the username "admin" and the password "passw0rd" can connect to the FWSM. hostname(config)# isakmp policy 1 authentication pre-share hostname(config)# isakmp policy 1 encryption 3des OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 23-7