CiscoPIX firewall EzVPN configuration Template

Source: Internet
Author: User
Tags hmac
CiscoPIX firewall EzVPN configuration template surface 1 Define the address pool to which the VPN Client is allocated pix (config) # iplocalpoolezvpn-pool192.168.1.1-192.168.1.100pix (config) # iplocalpoolezvpn-pool2192.168.1.101-192.168.1.2002 define VPN group user properties pix (config) # vpngro

Cisco PIX Firewall EzVPN configuration template area 1 defines the address pool allocated to the VPN Client pix (config) # ip local pool ezvpn-pool 192.168.1.1-192.168.1.100 pix (config) # ip local pool ezvpn-pool2 192.168.1.101-192.168.1.200 2 define VPN group user attribute pix (config) # vpngro

Cisco PIXFirewallEzVPNConfigurationTemplateSurface

1> define the address pool allocated to the VPN Client

Pix(Config) # Ip local pool ezvpn-pool 192.168.1.1-192.168.1.100
Pix (config) # ip local pool ezvpn-pool2 192.168.1.101-192.168.1.200



2> define VPN group user attributes

Pix (config) # vpngroup test1 address-pool ezvpn-pool
Pix (config) # vpngroup test1 dns-server 10.1.2.33
Pix (config) # vpngroup test1 default-domain test.com
Pix (config) # vpngroup test1 split-tunnel NONAT
Pix (config) # vpngroup test1 password cisco

Pix (config) # vpngroup test2 address-pool ezvpn-pool2
Pix (config) # vpngroup test2 dns-server 10.1.2.33
Pix (config) # vpngroup test2 default-domain test.com
Pix (config) # vpngroup test2 split-tunnel NONAT
Pix (config) # vpngroup test2 password cisco


3> define a data stream that does not need to be converted to a NAT gateway.

Pix (config) # access-list NONAT permit ip 10.0.0.0 255.255.255.0 10.0.0.0 255.255.255.0
Pix (config) # nat (inside) 0 access-list NONAT


4> enable XAUTH

Use local authentication (PIX 6.3 or above ):
Pix (config) # aaa-server LOCAL protocol local
Pix (config) # username sense password cisco
Pix (config) # crypto map mymap client authentication LOCAL

Use AAA authentication (PIX 6.2 or above ):
Pix (config) # aaa-server tacacs + protocol tacacs +
Pix (config) # aaa-server tacacs + (inside) host 192.168.9.33 cisco
Pix (config) # crypto map mymap client authentication tacacs +

Pix (config) # aaa-server radius protocol tacacs +
Pix (config) # aaa-server radius (inside) host 192.168.9.34 cisco
Pix (config) # crypto map mymap client authentication raiuds +



5> define ISAKMP policies

Pix (config) # isakmp enable outside
Pix (config) # isakmp identity address
Pix (config) # isakmp policy 10 authen pre-share
Pix (config) # isakmp policy 10 encry des
Pix (config) # isakmp policy 10 hash md5
Pix (config) # isakmp policy 10 group 2



6> define the tunnel-mode transfer set

Pix (config) # crypto ipsec transform-set mytrans esp-3des (esp-sha-hmac)



7> define, bind dynamic, static encryption ing


Pix (config) # crypto dynamic-map dynmap 10 set transform-set mytrans

Pix (config) # crypto map mymap 10 ipsec-isakmp dynamic dynmap
Pix (config) # crypto map mymap interface outside



9> enable IKE Mod Config to define who initializes the IKE link.

  • Initiate IKE initialization for the VPN Server.
  • Respond initiates IKE initialization for the VPN Client.


Pix (config) # crypto map mymap client configuration address initiate
Pix (config) # crypto map mymap client configuration address respond




10> Use ACL or the following command to trust IPSEC traffic

Pix (config) # sysopt connection permit-ipsec










Configuration instance:
++ ++
Basic InterfaceConfiguration

Pix (config) # interface eth0 auto
Pix (config) # interface eth1 auto
Pix (config) # nameif eth0 outside security0
Pix (config) # nameif eth1 inside security100
Pix (config) # ip address outside 218.1.1.2 255.255.255.0
Pix (config) # ip address inside 10.100.1.1 255.255.255.0

Set default route

Pix (config) # route outside 0 0 218.1.1.1

Specifies the traffic that does not require nat and the traffic that needs to be protected by IPSec.

Pix (config) # access-l ezvpn permit ip 10.100.1.0 255.255.255.0 192.168.1.0 255.255.0

Set nat0

Pix (config) # nat (inside) 0 access-list ezvpn

Set the client address pool

Pix (config) # ip local pool ezvpn-pool 192.168.1.1-192.168.1.254

Isakmp ParametersConfiguration

Pix (config) # isakmp enable outside
Pix (config) # isakmp identity address
Pix (config) # isakmp policy 20 authen pre-share
Pix (config) # isakmp policy 20 encry 3des
Pix (config) # isakmp policy 20 hash sha
Pix (config) # isakmp policy 20 group 2

Set conversion set and dynamic ing

Pix (config) # crypto ipsec transform-set ccsp esp-3des (esp-sha-hmac)
Pix (config) # crypto dynamic-map vpn-dyn 10 set transform-set ccsp

ConfigurationCrypto map

Pix (config) # crypto map cisco 10 ipsec-isakmp dynamic vpn-dyn
Pix (config) # crypto map cisco client conf address initiate
Pix (config) # crypto map cisco interface outside

Group PolicyConfiguration

Pix (config) # vpngroup mobile address-pool ezvpn-pool
Pix (config) # vpngroup mobile dns-server 10.100.1.80
Pix (config) # vpngroup mobile default-domain itany.com
Pix (config) # vpngroup mobile split-tunnel ezvpn
Pix (config) # vpngroup mobile password cisco1234

Allow transmission of any data in an IPSec tunnel

Pix (config) # sysopt connection permit-ipsec


Post reposted to Cisco Technology Forum guest Network Customer Alliance

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.