Cisco 7604 Configuration Guide - Page 530
Configuring a Site-to-Site Tunnel, crypto map, ipsec-isakmp, ipsec-isakmp dynamic
View all Cisco 7604 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 530 highlights
Allowing a VPN Management Connection Chapter 23 Configuring Management Access hostname(config)# isakmp policy 1 group 2 hostname(config)# isakmp policy 1 hash sha hostname(config)# isakmp enable outside hostname(config)# username admin password passw0rd hostname(config)# crypto ipsec transform-set vpn esp-3des esp-sha-hmac hostname(config)# crypto dynamic-map vpn_client 1 set transform-set vpn hostname(config)# crypto map telnet_tunnel 1 ipsec-isakmp dynamic vpn_client hostname(config)# crypto map telnet_tunnel interface outside hostname(config)# crypto map telnet_tunnel client authentication LOCAL hostname(config)# ip local pool Firstpool 10.1.1.1-10.1.1.2 hostname(config)# access-list VPN_SPLIT extended permit ip host 209.165.200.225 host 10.1.1.1 hostname(config)# access-list VPN_SPLIT extended permit ip host 209.165.200.225 host 10.1.1.2 hostname(config)# tunnel-group StocktonAAA general-attributes address-pool Firstpool hostname(config)# group-policy name attributes hostname(config-group-policy)# split-tunnel-policy tunnelall hostname(config)# group-policy ExternalGroup external server-group LodiAAA password $ecure23 hostname(config)# telnet 10.1.1.1 255.255.255.255 outside hostname(config)# telnet 10.1.1.2 255.255.255.255 outside hostname(config)# telnet timeout 30 Configuring a Site-to-Site Tunnel To configure a site-to-site tunnel, first configure basic VPN settings (see "Configuring Basic Settings for All Tunnels"), and then perform the following steps: Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 To set the shared key used by both peers, enter the following command: hostname(config)# isakmp key keystring address peer-address To identify the traffic allowed to go over the tunnel, enter the following command: hostname(config)# access-list acl_name [extended] {deny | permit} {protocol} host fwsm_interface_address dest_address mask For the destination address, specify the addresses that are allowed to access the FWSM. See the "Adding an Extended Access List" section on page 13-6 for more information about access lists. To create an IPSec tunnel, enter the following command: hostname(config)# crypto map crypto_map_name priority ipsec-isakmp All tunnel attributes are identified by the same crypto map name. The priority specifies the order in which multiple commands are evaluated. If you have a command for this crypto map name that specifies ipsec-isakmp, and another that specifies ipsec-isakmp dynamic (for VPN client connections), then the priority number determines the command that is evaluated first. To assign the access list from Step 2 to this tunnel, enter the following command: hostname(config)# crypto map crypto_map_name priority match address acl_name To specify the remote peer on which this tunnel terminates, enter the following command: hostname(config)# crypto map crypto_map_name priority set peer ip_address To specify the transform sets for this tunnel (defined in the "Configuring Basic Settings for All Tunnels" section on page 23-5), enter the following command: hostname(config)# crypto map crypto_map_name priority set transform-set transform_set1 [transform_set2] [...] 23-8 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01