Configuring Vpn Client Access - Cisco Catalyst 6500 Series Configuration Manual
Catalyst 6500 series switch and
cisco 7600 series router firewall services
Hide thumbs
Also See for Catalyst 6500 Series:
- Software configuration manual (570 pages) ,
- Configuration note (212 pages) ,
- Installation manual (194 pages)
Table of Contents
Advertisement
Chapter 11
Allowing Remote Management
FWSM/contexta(config)# isakmp policy 1 group 2
FWSM/contexta(config)# isakmp policy 1 hash sha
FWSM/contexta(config)# isakmp enable outside
FWSM/contexta(config)# crypto ipsec transform-set vpn_client esp-3des esp-sha-hmac
FWSM/contexta(config)# crypto ipsec transform-set site_to_site esp-3des ah-sha-hmac
Configuring VPN Client Access
A host with an installed version of the Cisco VPN Client can connect to the FWSM for management
purposes over a public network, such as the Internet.
To allow remote clients to connect to the FWSM for management access, first configure basic VPN
settings (see
To specify the transform sets (defined in the
Step 1
page
FWSM/contexta(config)# crypto dynamic-map dynamic_map_name priority set transform-set
transform_set1 [ transform_set2 ] [...]
List multiple transform sets in order of priority (highest priority first).
This dynamic crypto map allows unknown IP addresses to connect to the FWSM.
The dynamic-map name is used in
The priority specifies the order in which multiple commands are evaluated. If you have a command that
specifies one set of transforms, and another that specifies others, then the priority number determines
the command that is evaluated first.
To assign the dynamic crypto map (from
Step 2
FWSM/contexta(config)# crypto map crypto_map_name priority ipsec-isakmp dynamic
dynamic_map_name
To specify the interface at which you want the client tunnels to terminate, enter the following command:
Step 3
FWSM/contexta(config)# crypto map crypto_map_name interface interface_name
You can apply only one crypto map name to an interface, so if you want to terminate both a site-to-site
tunnel and VPN clients on the same interface, they need to share the same crypto map name.
To specify the AAA server or the local user database that provides user authentication when a client
Step 4
connects to the FWSM, enter the following command:
FWSM/contexta(config)# crypto map crypto_map_name client authentication
{LOCAL | aaa_server_name [LOCAL]}
You must first configure the server name according to the
page 12-6
OL-6392-01
"Configuring Basic Settings for All
11-5) allowed for client tunnels, enter the following command:
or the local database according to the
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
Tunnels"), and then follow these steps:
"Configuring Basic Settings for All Tunnels" section on
Step
2.
Step
1) to a static tunnel, enter the following command:
"Identifying a AAA Server" section on
"Configuring the Local Database" section on page
Allowing a VPN Management Connection
12-6.
11-7
Advertisement
Table of Contents
Troubleshooting
