11-8
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
OL-6392-01
Chapter 11 Allowing Remote Management
Allowing a VPN Management Connection
Step 5 To specify the range of addresses that VPN clients use on the FWSM enter the following command:
FWSM/contexta(config)# ip local pool
pool_name
ip_address
[-
ip_address
]
All tunneled packets from the client use one of these addresses as the source address.
Step 6 To specify the traffic that is destined for the FWSM, so you can tunnel only that traffic according to the
vpngroup split-tunnel command in Step 8, enter the following command:
FWSM/contexta(config)# access-list
acl_name
[extended]
permit
{
protocol
} host
fwsm_interface_address pool_addresses mask
This ACL identifies traffic from the local pool (see Step 5) destined for the FWSM interface. See the
“Adding an Extended Access Control List” section on page 10-13 for more information about ACLs.
Step 7 To assign the VPN address pool to a VPN group, enter the following command:
FWSM/contexta(config)# vpngroup
group_name
address-pool
pool_name
This group specifies VPN characteristics for connecting clients. When a client connects the FWSM, they
need to enter the VPN group name as well as the VPN group password in Step 9.
Step 8 To specify that only traffic destined for the FWSM is tunneled, enter the following command:
FWSM/contexta(config)# vpngroup
group_name
split-tunnel
acl_name
This command is required.
Step 9 To set the VPN group password, enter the following command:
FWSM/contexta(config)# vpngroup
group_name
password
password
Step 10 To allow Telnet or SSH access, see the “Allowing Telnet” section on page 11-1 and the “Allowing SSH”
section on page 11-2.
Specify the VPN pool addresses in the telnet and ssh commands.
For example, the following commands allow VPN clients to use Telnet on the outside interface
(209.165.200.225). The user authentication is the local database, so users with the VPN group name and
password, as well as the username “admin” and the password “passw0rd” can connect to the FWSM.
FWSM/contexta(config)# isakmp policy 1 authentication pre-share
FWSM/contexta(config)# isakmp policy 1
encryption 3des
FWSM/contexta(config)# isakmp policy 1 group 2
FWSM/contexta(config)# isakmp policy 1 hash sha
FWSM/contexta(config)# isakmp enable outside
FWSM/contexta(config)# username admin password passw0rd
FWSM/contexta(config)# crypto ipsec transform-set vpn esp-3des esp-sha-hmac
FWSM/contexta(config)# crypto dynamic-map vpn_client
1 set transform-set vpn
FWSM/contexta(config)# crypto map telnet_tunnel 1 ipsec-isakmp dynamic vpn_client
FWSM/contexta(config)# crypto map telnet_tunnel interface outside
FWSM/contexta(config)# crypto map telnet_tunnel client authentication LOCAL
FWSM/contexta(config)# ip local pool client_pool 10.1.1.1-10.1.1.2
FWSM/contexta(config)# access-list
VPN_SPLIT
extended
permit
ip host 209.165.200.225 host
10.1.1.1
FWSM/contexta(config)# access-list
VPN_SPLIT
extended
permit
ip host 209.165.200.225 host
10.1.1.2
FWSM/contexta(config)# vpngroup admin address-pool client_pool
FWSM/contexta(config)# vpngroup admin split-tunnel VPN_SPLIT
FWSM/contexta(config)# vpngroup admin password $ecure23
FWSM/contexta(config)# telnet 10.1.1.1 255.255.255.255 outside
FWSM/contexta(config)# telnet 10.1.1.2 255.255.255.255 outside
FWSM/contexta(config)# telnet timeout 30
To Next Page
Loading...
Need help?
General