Configuring A Site-To-Site Tunnel - Cisco Catalyst 6500 Series Configuration Manual
Catalyst 6500 series switch and
cisco 7600 series router firewall services
Hide thumbs
Also See for Catalyst 6500 Series:
- Software configuration manual (570 pages) ,
- Configuration note (212 pages) ,
- Installation manual (194 pages)
Table of Contents
Advertisement
Chapter 11
Allowing Remote Management
Configuring a Site-to-Site Tunnel
To configure a site-to-site tunnel, first configure basic VPN settings (see
for All
To set the shared key used by both peers, enter the following command:
Step 1
FWSM/contexta(config)# isakmp key keystring address peer-address
To identify the traffic allowed to go over the tunnel, enter the following command:
Step 2
FWSM/contexta(config)# access-list acl_name [extended] {deny | permit} { protocol } host
fwsm_interface_address dest_address mask
For the destination address, specify the addresses that are allowed to access the FWSM.
See the
ACLs.
To create an IPSec tunnel, enter the following command:
Step 3
FWSM/contexta(config)# crypto map crypto_map_name priority ipsec-isakmp
All tunnel attributes are identified by the same crypto map name.
The priority specifies the order in which multiple commands are evaluated. If you have a command for
this crypto map name that specifies ipsec-isakmp, and another that specifies ipsec-isakmp dynamic
(for VPN client connections), then the priority number determines the command that is evaluated first.
To assign the ACL from
Step 4
FWSM/contexta(config)# crypto map crypto_map_name priority match address acl_name
To specify the remote peer on which this tunnel terminates, enter the following command:
Step 5
FWSM/contexta(config)# crypto map crypto_map_name priority set peer ip_address
To specify the transform sets for this tunnel (defined in the
Step 6
section on page
FWSM/contexta(config)# crypto map crypto_map_name priority set transform-set
transform_set1 [ transform_set2 ] [...]
List multiple transform sets in order of priority (highest priority first). You can specify up to six
transform sets.
To specify the interface at which you want this tunnel to terminate, enter the following command:
Step 7
FWSM/contexta(config)# crypto map crypto_map_name interface interface_name
You can apply only one crypto map name to an interface, so if you want to terminate both a site-to-site
tunnel and VPN clients on the same interface, they need to share the same crypto map name.
This command must be entered after all other crypto map commands. If you change any crypto map
settings, remove this command with the no prefix, and reenter it.
Step 8
To allow Telnet or SSH access, see the
section on page
For example, the following commands allow hosts connected to the peer router (209.165.202.129) to use
Telnet on the outside interface (209.165.200.225).
OL-6392-01
Tunnels"), and then follow these steps:
"Adding an Extended Access Control List" section on page 10-13
Step 2
to this tunnel, enter the following command:
11-5), enter the following command:
11-2.
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
"Configuring Basic Settings for All Tunnels"
"Allowing Telnet" section on page 11-1
Allowing a VPN Management Connection
"Configuring Basic Settings
for more information about
and the
"Allowing SSH"
11-9
Advertisement
Table of Contents
Troubleshooting
