11-7
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
OL-6392-01
Chapter 11 Allowing Remote Management
Allowing a VPN Management Connection
FWSM/contexta(config)# isakmp policy 1 group 2
FWSM/contexta(config)# isakmp policy 1 hash sha
FWSM/contexta(config)# isakmp enable outside
FWSM/contexta(config)# crypto ipsec transform-set vpn_client
esp-3des esp-sha-hmac
FWSM/contexta(config)# crypto ipsec transform-set site_to_site
esp-3des ah-sha-hmac
Configuring VPN Client Access
A host with an installed version of the Cisco VPN Client can connect to the FWSM for management
purposes over a public network, such as the Internet.
To allow remote clients to connect to the FWSM for management access, first configure basic VPN
settings (see “Configuring Basic Settings for All Tunnels”), and then follow these steps:
Step 1 To specify the transform sets (defined in the “Configuring Basic Settings for All Tunnels” section on
page 11-5) allowed for client tunnels, enter the following command:
FWSM/contexta(config)# crypto dynamic-map
dynamic_map_name priority
set transform-set
transform_set1
[
transform_set2
] [...]
List multiple transform sets in order of priority (highest priority first).
This dynamic crypto map allows unknown IP addresses to connect to the FWSM.
The dynamic-map name is used in Step 2.
The priority specifies the order in which multiple commands are evaluated. If you have a command that
specifies one set of transforms, and another that specifies others, then the priority number determines
the command that is evaluated first.
Step 2 To assign the dynamic crypto map (from Step 1) to a static tunnel, enter the following command:
FWSM/contexta(config)# crypto map
crypto_map_name
priority
ipsec-isakmp dynamic
dynamic_map_name
Step 3 To specify the interface at which you want the client tunnels to terminate, enter the following command:
FWSM/contexta(config)# crypto map
crypto_map_name
interface
interface_name
You can apply only one crypto map name to an interface, so if you want to terminate both a site-to-site
tunnel and VPN clients on the same interface, they need to share the same crypto map name.
Step 4 To specify the AAA server or the local user database that provides user authentication when a client
connects to the FWSM, enter the following command:
FWSM/contexta(config)# crypto map
crypto_map_name
client authentication
{LOCAL |
aaa_server_name
[LOCAL]}
You must first configure the server name according to the “Identifying a AAA Server” section on
page 12-6 or the local database according to the “Configuring the Local Database” section on page 12-6.
To Next Page
Loading...
Need help?
General