Saturday 4 May 2013

Cisco Client VPN Configuration


This was set up on a 857W running IOS 12.4-15-T12
There is already a Site to Site configured so this will be set up as priority 2.
LAN : 192.168.0.0/24
VPN : 172.16.0.0/24

Phase 1 policy parameters
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2

VPN client address pool
crypto isakmp client configuration address-pool local poolname
ip local pool poolname 172.16.0.1 172.16.0.254
VPN client group
crypto isakmp client configuration group groupname
key psk
pool poolname
acl aclname
crypto isakmp keepalive 300
crypto isakmp xauth timeout 60

Phase 2 policy parameters
crypto ipsec transform-set transform-2 esp-3des esp-sha-hmac
crypto dynamic-map mapname 2
set transform-set transform-2
reverse-route

Crypto map
crypto map mapname client authentication list userlist
crypto map mapname isakmp authorization list groupname
crypto map mapname client configuration address respond
crypto map mapname 2 ipsec-isakmp dynamic mapname
interface external
crypto map mapname

Define the phase 2 proxy ID
ip access-list extended aclname
permit ip 172.16.0.0 0.0.0.255 any
permit ip 192.168.0.0 0.0.0.255 any

Exclude the client VPN range from the NAT rule
ip nat inside source list 101 interface external overload
access-list 101 deny ip 192.168.0.0 0.0.0.255 172.16.0.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 any



Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)