Cisco 7604 Configuration Manual page 529
Catalyst 6500 series switch and cisco 7600 series router firewall services module configuration guide using the cli
Hide thumbs
Also See for 7604:
- Configuration manual (1011 pages) ,
- Installation manual (324 pages) ,
- User manual (98 pages)
Table of Contents
Advertisement
Chapter 23
Configuring Management Access
The priority specifies the order in which multiple commands are evaluated. If you have a command that
specifies one set of transforms, and another that specifies others, then the priority number determines
the command that is evaluated first.
To assign the dynamic crypto map (from
Step 2
hostname(config)# crypto map crypto_map_name priority ipsec-isakmp dynamic
dynamic_map_name
To specify the interface at which you want the client tunnels to terminate, enter the following command:
Step 3
hostname(config)# crypto map crypto_map_name interface interface_name
You can apply only one crypto map name to an interface, so if you want to terminate both a site-to-site
tunnel and VPN clients on the same interface, they need to share the same crypto map name.
To specify the range of addresses that VPN clients use on the FWSM, enter the following command:
Step 4
hostname(config)# ip local pool pool_name first_ip_address-last_ip_address [mask mask]
All tunneled packets from the client use one of these addresses as the source address.
To specify the traffic that is destined for the FWSM, so you can tunnel only that traffic according to the
Step 5
tunnel group command in
hostname(config)# access-list acl_name [extended] permit {protocol} host
fwsm_interface_address pool_addresses mask
This access list identifies traffic from the local pool (see
the
Step 6
To assign the VPN address pool to a tunnel group, enter the following command:
hostname(config)# tunnel-group name general-attributes address-pool pool_name
This group specifies VPN characteristics for connecting clients. When a client connects to the FWSM,
they need to enter the tunnel group name and password in
Step 7
To specify that only traffic destined for the FWSM is tunneled, enter the following commands:
hostname(config)# group-policy name attributes
hostname(config-group-policy)# split-tunnel-policy tunnelall
Note
To set the VPN group password, enter the following command:
Step 8
hostname(config)# group-policy group_name external server-group server_group_name password
server_password
To allow Telnet or SSH access, see the
Step 9
SSH Access" section on page
Specify the VPN pool addresses in the telnet and ssh commands.
For example, the following commands allow VPN clients to use Telnet on the outside interface
(209.165.200.225). The user authentication is the local database, so users with the tunnel group name
and password, as well as the username "admin" and the password "passw0rd" can connect to the FWSM.
hostname(config)# isakmp policy 1 authentication pre-share
hostname(config)# isakmp policy 1 encryption 3des
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
OL-20748-01
Step
"Adding an Extended Access List" section on page 13-6
This command is required.
Step
1) to a static tunnel, enter the following command:
7, enter the following command:
"Allowing Telnet Access" section on page 23-1
23-2.
Allowing a VPN Management Connection
Step
4) destined for the FWSM interface. See
for more information about access lists.
Step
8.
and the
"Allowing
23-7
- Quick Links:
- C H a P T E...
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
