Scenario:
User from internet should access the inside/corporate network 192.168.201.0. This is the perhaps the simplest remote access VPN scenario there is.
Topology:
192.168.201.0 ---- PIX --- (( INTERNET )) ---- home_user
VPN Client Pool = 172.16.1.1 to 172.16.1.254
Configuration:
access-list SPLIT permit ip 192.168.201.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list NONAT permit ip 192.168.201.0 255.255.255.0 172.16.1.0 255.255.255.0
nat (inside) 0 access-list NONAT
sysopt connection permit-ipsec
isakmp identity address
isakmp nat-traversal
isakmp policy 200 authentication pre-share
isakmp policy 200 encryption des
isakmp policy 200 hash sha
isakmp policy 200 group 2
isakmp policy 200 lifetime 86400
isakmp key CISCO123 address 0.0.0.0 netmask 0.0.0.0
crypto ipsec transform-set MYSET esp-des esp-md5-hmac
crypto dynamic-map CISCO 1 set transform-set MYSET
crypto map MYMAP 65535 ipsec-isakm dynamic CISCO
ip local pool CLIENTPOOL 172.16.1.1-172.16.1.254
vpngroup VPNCLIENT address-pool CLIENTPOOL
vpngroup VPNCLIENT dns-server 4.2.2.2
vpngroup VPNCLIENT wins-server 24.24.24.24
vpngroup VPNCLIENT default-domain CISCO.COM
vpngroup VPNCLIENT idle-time 1800
vpngroup VPNCLIENT password CISCO123
vpngroup VPNCLIENT split-tunnel SPLIT
crypto map MYMAP interface outside
isakmp enable outside
Reference:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080884c2f.shtml
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009442e.shtml
No comments:
Post a Comment