Cisco Catalyst 6500 Series Configuration Manual page 216

Allowing a VPN Management Connection
To specify the range of addresses that VPN clients use on the FWSM enter the following command:
Step 5
FWSM/contexta(config)# ip local pool pool_name ip_address [- ip_address ]
All tunneled packets from the client use one of these addresses as the source address.
To specify the traffic that is destined for the FWSM, so you can tunnel only that traffic according to the
Step 6
vpngroup split-tunnel command in
FWSM/contexta(config)# access-list acl_name [extended] permit { protocol } host
fwsm_interface_address pool_addresses mask
This ACL identifies traffic from the local pool (see
"Adding an Extended Access Control List" section on page 10-13
To assign the VPN address pool to a VPN group, enter the following command:
Step 7
FWSM/contexta(config)# vpngroup group_name address-pool pool_name
This group specifies VPN characteristics for connecting clients. When a client connects the FWSM, they
need to enter the VPN group name as well as the VPN group password in
To specify that only traffic destined for the FWSM is tunneled, enter the following command:
Step 8
FWSM/contexta(config)# vpngroup group_name split-tunnel acl_name
This command is required.
To set the VPN group password, enter the following command:
Step 9
FWSM/contexta(config)# vpngroup group_name password password
To allow Telnet or SSH access, see the
Step 10
section on page
Specify the VPN pool addresses in the telnet and ssh commands.
For example, the following commands allow VPN clients to use Telnet on the outside interface
(209.165.200.225). The user authentication is the local database, so users with the VPN group name and
password, as well as the username "admin" and the password "passw0rd" can connect to the FWSM.
FWSM/contexta(config)# isakmp policy 1 authentication pre-share
FWSM/contexta(config)# isakmp policy 1 encryption 3des
FWSM/contexta(config)# isakmp policy 1 group 2
FWSM/contexta(config)# isakmp policy 1 hash sha
FWSM/contexta(config)# isakmp enable outside
FWSM/contexta(config)# username admin password passw0rd
FWSM/contexta(config)# crypto ipsec transform-set vpn esp-3des esp-sha-hmac
FWSM/contexta(config)# crypto dynamic-map vpn_client 1 set transform-set vpn
FWSM/contexta(config)# crypto map telnet_tunnel 1 ipsec-isakmp dynamic vpn_client
FWSM/contexta(config)# crypto map telnet_tunnel interface outside
FWSM/contexta(config)# crypto map telnet_tunnel client authentication LOCAL
FWSM/contexta(config)# ip local pool client_pool 10.1.1.1-10.1.1.2
FWSM/contexta(config)# access-list VPN_SPLIT extended permit ip host 209.165.200.225 host
10.1.1.1
FWSM/contexta(config)# access-list VPN_SPLIT extended permit ip host 209.165.200.225 host
10.1.1.2
FWSM/contexta(config)# vpngroup admin address-pool client_pool
FWSM/contexta(config)# vpngroup admin split-tunnel VPN_SPLIT
FWSM/contexta(config)# vpngroup admin password $ecure23
FWSM/contexta(config)# telnet 10.1.1.1 255.255.255.255 outside
FWSM/contexta(config)# telnet 10.1.1.2 255.255.255.255 outside
FWSM/contexta(config)# telnet timeout 30
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
11-8
Step 8, enter the following command:
"Allowing Telnet" section on page 11-1
11-2.
Chapter 11 Allowing Remote Management
Step 5) destined for the FWSM interface. See the
for more information about ACLs.
Step 9.
and the "Allowing SSH"
OL-6392-01