Configuring A Site-To-Site Tunnel - Cisco 7604 Configuration Manual
Catalyst 6500 series switch and cisco 7600 series router firewall services module configuration guide using the cli
Hide thumbs
Also See for 7604:
- Configuration manual (1011 pages) ,
- Installation manual (324 pages) ,
- User manual (98 pages)
Table of Contents
Advertisement
Allowing a VPN Management Connection
hostname(config)# isakmp policy 1 group 2
hostname(config)# isakmp policy 1 hash sha
hostname(config)# isakmp enable outside
hostname(config)# username admin password passw0rd
hostname(config)# crypto ipsec transform-set vpn esp-3des esp-sha-hmac
hostname(config)# crypto dynamic-map vpn_client 1 set transform-set vpn
hostname(config)# crypto map telnet_tunnel 1 ipsec-isakmp dynamic vpn_client
hostname(config)# crypto map telnet_tunnel interface outside
hostname(config)# crypto map telnet_tunnel client authentication LOCAL
hostname(config)# ip local pool Firstpool 10.1.1.1-10.1.1.2
hostname(config)# access-list VPN_SPLIT extended permit ip host 209.165.200.225 host 10.1.1.1
hostname(config)# access-list VPN_SPLIT extended permit ip host 209.165.200.225 host 10.1.1.2
hostname(config)# tunnel-group StocktonAAA general-attributes address-pool Firstpool
hostname(config)# group-policy name attributes
hostname(config-group-policy)# split-tunnel-policy tunnelall
hostname(config)# group-policy ExternalGroup external server-group LodiAAA password $ecure23
hostname(config)# telnet 10.1.1.1 255.255.255.255 outside
hostname(config)# telnet 10.1.1.2 255.255.255.255 outside
hostname(config)# telnet timeout 30
Configuring a Site-to-Site Tunnel
To configure a site-to-site tunnel, first configure basic VPN settings (see
All
Step 1
To set the shared key used by both peers, enter the following command:
hostname(config)# isakmp key keystring address peer-address
Step 2
To identify the traffic allowed to go over the tunnel, enter the following command:
hostname(config)# access-list acl_name [extended] {deny | permit} {protocol} host
fwsm_interface_address dest_address mask
For the destination address, specify the addresses that are allowed to access the FWSM.
See the
To create an IPSec tunnel, enter the following command:
Step 3
hostname(config)# crypto map crypto_map_name priority ipsec-isakmp
All tunnel attributes are identified by the same crypto map name.
The priority specifies the order in which multiple commands are evaluated. If you have a command for
this crypto map name that specifies ipsec-isakmp, and another that specifies ipsec-isakmp dynamic
(for VPN client connections), then the priority number determines the command that is evaluated first.
To assign the access list from
Step 4
hostname(config)# crypto map crypto_map_name priority match address acl_name
To specify the remote peer on which this tunnel terminates, enter the following command:
Step 5
hostname(config)# crypto map crypto_map_name priority set peer ip_address
Step 6
To specify the transform sets for this tunnel (defined in the
section on page
hostname(config)# crypto map crypto_map_name priority set transform-set transform_set1
[transform_set2] [...]
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
23-8
Tunnels"), and then perform the following steps:
"Adding an Extended Access List" section on page 13-6
23-5), enter the following command:
Step 2
to this tunnel, enter the following command:
Chapter 23
Configuring Management Access
"Configuring Basic Settings for
for more information about access lists.
"Configuring Basic Settings for All Tunnels"
OL-20748-01
- Quick Links:
- C H a P T E...
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
