In this example Head office EZVPN LAN is 10.1.1.0/24 and Remote Office LAN is 10.101.1.0/24
-----10.1.1.0/24----ASA(EZVPN server)-----internet-----Cisco 800-----10.101.1.0/24
EZVPN server : Cisco ASA 5510
group-policy EASYVPNGroupPolicy internal
group-policy EASYVPNGroupPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage enable
ip-comp disable
re-xauth disable
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value EASYVPN_splitTunnelAcl
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout none
ip-phone-bypass disable
leap-bypass disable
nem enable
backup-servers keep-client-config
access-list EASYVPN_splitTunnelAcl extended permit ip 10.1.1.0 0.0.0.255 any
tunnel-group EASYVPNProfile type remote-access
tunnel-group EASYVPNProfile general-attributes
default-group-policy EASYVPNGroupPolicy
tunnel-group EASYVPNProfile ipsec-attributes
pre-shared-key *
crypto ipsec transform-set TRANS esp-3des esp-md5-hmac
crypto dynamic-map easyvpn 100 set transform-set TRANS
crypto dynamic-map easyvpn 100 set security-association lifetime seconds 28800
crypto dynamic-map easyvpn 100 set security-association lifetime kilobytes 4608000
crypto dynamic-map easyvpn 100 set reverse-route
crypto map outside_map 100 ipsec-isakmp dynamic easyvpn
crypto map outside_map interface outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
EZVPN Client: Cisco 800 series router
Building configuration...
Current configuration : 4899 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname router800
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
no ip domain lookup
!
!
!
username abc privilege 15 secret xyz
!
!
!
crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac
!
crypto ipsec client ezvpn ASA
connect auto
group EASYVPNProfile key ezvpn
mode network-extension
peer X.X.X.X
!!! this username and password has to be configured on ASA
username ezvpnclient1 password ezvpn
xauth userid mode local
!
archive
log config
hidekeys
!
!
!
!
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no atm ilmi-keepalive
pvc 8/35
pppoe-client dial-pool-number 1
!
dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description LAN Interface
ip address 10.101.1.1 255.255.255.0
ip virtual-reassembly
ip tcp adjust-mss 1452
crypto ipsec client ezvpn ASA inside
!
interface Dialer0
description Connected to Internet
ip address negotiated
ip mtu 1492
ip virtual-reassembly
encapsulation ppp
dialer pool 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname username
ppp chap password password
ppp pap sent-username username password password
crypto ipsec client ezvpn ASA
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list Nat interface Dialer0 overload
!
ip access-list extended Nat
deny ip 10.101.1.0 0.0.0.255 10.1.1.0 0.0.0.255
permit ip 10.101.1.0 0.0.0.255 any
!
no cdp run
!
!
!
control-plane
!
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end
Friday, June 19, 2009
Subscribe to:
Posts (Atom)