CiscoPIX firewall EzVPN configuration template surface 1 Define the address pool to which the VPN Client is allocated pix (config) # iplocalpoolezvpn-pool192.168.1.1-192.168.1.100pix (config) # iplocalpoolezvpn-pool2192.168.1.101-192.168.1.2002 define VPN group user properties pix (config) # vpngro
Cisco PIX Firewall EzVPN configuration template area 1 defines the address pool allocated to the VPN Client pix (config) # ip local pool ezvpn-pool 192.168.1.1-192.168.1.100 pix (config) # ip local pool ezvpn-pool2 192.168.1.101-192.168.1.200 2 define VPN group user attribute pix (config) # vpngro
Cisco PIXFirewallEzVPNConfigurationTemplateSurface
1> define the address pool allocated to the VPN Client
Pix(Config) # Ip local pool ezvpn-pool 192.168.1.1-192.168.1.100
Pix (config) # ip local pool ezvpn-pool2 192.168.1.101-192.168.1.200
2> define VPN group user attributes
Pix (config) # vpngroup test1 address-pool ezvpn-pool
Pix (config) # vpngroup test1 dns-server 10.1.2.33
Pix (config) # vpngroup test1 default-domain test.com
Pix (config) # vpngroup test1 split-tunnel NONAT
Pix (config) # vpngroup test1 password cisco
Pix (config) # vpngroup test2 address-pool ezvpn-pool2
Pix (config) # vpngroup test2 dns-server 10.1.2.33
Pix (config) # vpngroup test2 default-domain test.com
Pix (config) # vpngroup test2 split-tunnel NONAT
Pix (config) # vpngroup test2 password cisco
3> define a data stream that does not need to be converted to a NAT gateway.
Pix (config) # access-list NONAT permit ip 10.0.0.0 255.255.255.0 10.0.0.0 255.255.255.0
Pix (config) # nat (inside) 0 access-list NONAT
4> enable XAUTH
Use local authentication (PIX 6.3 or above ):
Pix (config) # aaa-server LOCAL protocol local
Pix (config) # username sense password cisco
Pix (config) # crypto map mymap client authentication LOCAL
Use AAA authentication (PIX 6.2 or above ):
Pix (config) # aaa-server tacacs + protocol tacacs +
Pix (config) # aaa-server tacacs + (inside) host 192.168.9.33 cisco
Pix (config) # crypto map mymap client authentication tacacs +
Pix (config) # aaa-server radius protocol tacacs +
Pix (config) # aaa-server radius (inside) host 192.168.9.34 cisco
Pix (config) # crypto map mymap client authentication raiuds +
5> define ISAKMP policies
Pix (config) # isakmp enable outside
Pix (config) # isakmp identity address
Pix (config) # isakmp policy 10 authen pre-share
Pix (config) # isakmp policy 10 encry des
Pix (config) # isakmp policy 10 hash md5
Pix (config) # isakmp policy 10 group 2
6> define the tunnel-mode transfer set
Pix (config) # crypto ipsec transform-set mytrans esp-3des (esp-sha-hmac)
7> define, bind dynamic, static encryption ing
Pix (config) # crypto dynamic-map dynmap 10 set transform-set mytrans
Pix (config) # crypto map mymap 10 ipsec-isakmp dynamic dynmap
Pix (config) # crypto map mymap interface outside
9> enable IKE Mod Config to define who initializes the IKE link.
- Initiate IKE initialization for the VPN Server.
- Respond initiates IKE initialization for the VPN Client.
Pix (config) # crypto map mymap client configuration address initiate
Pix (config) # crypto map mymap client configuration address respond
10> Use ACL or the following command to trust IPSEC traffic
Pix (config) # sysopt connection permit-ipsec
Configuration instance:
++ ++
Basic InterfaceConfiguration
Pix (config) # interface eth0 auto
Pix (config) # interface eth1 auto
Pix (config) # nameif eth0 outside security0
Pix (config) # nameif eth1 inside security100
Pix (config) # ip address outside 218.1.1.2 255.255.255.0
Pix (config) # ip address inside 10.100.1.1 255.255.255.0
Set default route
Pix (config) # route outside 0 0 218.1.1.1
Specifies the traffic that does not require nat and the traffic that needs to be protected by IPSec.
Pix (config) # access-l ezvpn permit ip 10.100.1.0 255.255.255.0 192.168.1.0 255.255.0
Set nat0
Pix (config) # nat (inside) 0 access-list ezvpn
Set the client address pool
Pix (config) # ip local pool ezvpn-pool 192.168.1.1-192.168.1.254
Isakmp ParametersConfiguration
Pix (config) # isakmp enable outside
Pix (config) # isakmp identity address
Pix (config) # isakmp policy 20 authen pre-share
Pix (config) # isakmp policy 20 encry 3des
Pix (config) # isakmp policy 20 hash sha
Pix (config) # isakmp policy 20 group 2
Set conversion set and dynamic ing
Pix (config) # crypto ipsec transform-set ccsp esp-3des (esp-sha-hmac)
Pix (config) # crypto dynamic-map vpn-dyn 10 set transform-set ccsp
ConfigurationCrypto map
Pix (config) # crypto map cisco 10 ipsec-isakmp dynamic vpn-dyn
Pix (config) # crypto map cisco client conf address initiate
Pix (config) # crypto map cisco interface outside
Group PolicyConfiguration
Pix (config) # vpngroup mobile address-pool ezvpn-pool
Pix (config) # vpngroup mobile dns-server 10.100.1.80
Pix (config) # vpngroup mobile default-domain itany.com
Pix (config) # vpngroup mobile split-tunnel ezvpn
Pix (config) # vpngroup mobile password cisco1234
Allow transmission of any data in an IPSec tunnel
Pix (config) # sysopt connection permit-ipsec
Post reposted to Cisco Technology Forum guest Network Customer Alliance