11-5
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
OL-6392-01
Chapter 11 Allowing Remote Management
Allowing a VPN Management Connection
For example, to enable the HTTPS server and let a host on the inside interface with an address of
192.168.1.2 access PDM, enter the following commands:
FWSM/contexta(config)# ca generate rsa key 1024
FWSM/contexta(config)# ca save all
FWSM/contexta(config)# http server enable
FWSM/contexta(config)# pdm history enable
FWSM/contexta(config)# http 192.168.1.2 255.255.255.255 inside
To allow all users on the 192.168.3.0 network to access PDM on the inside interface, enter the following
command:
FWSM/contexta(config)# http 192.168.3.0 255.255.255.0 inside
Allowing a VPN Management Connection
The FWSM supports IPSec for management access. An IPSec virtual private network (VPN) ensures that
IP packets can safely travel over insecure networks such as the Internet. All communication between two
VPN peers occurs over a secure tunnel, which means the packets are encrypted and authenticated by the
peers.
The FWSM can connect to another VPN concentrator, such as a Cisco PIX firewall or a Cisco IOS router,
using a site-to-site tunnel. You specify the peer networks that can communicate over the tunnel. In the
case of the FWSM, the only address available on the FWSM end of the tunnel is the interface itself.
The FWSM can also accept connections from VPN clients, either hosts running the Cisco VPN client,
or VPN concentrators such as the Cisco PIX firewall or Cisco IOS router running the Easy VPN client.
Unlike a site-to-site tunnel, you do not know in advance the IP address of the client. Instead, you rely on
client authentication.
The FWSM can support 5 concurrent IPSec connections, with a maximum of 10 concurrent connections
divided between all contexts. You can control the number of IPSec sessions allowed per context using
resource classes. (See the “Configuring a Class” section on page 5-14.)
This section describes the following topics:
• Configuring Basic Settings for All Tunnels, page 11-5
• Configuring VPN Client Access, page 11-7
• Configuring a Site-to-Site Tunnel, page 11-9
Configuring Basic Settings for All Tunnels
The following steps are required for both VPN client access and for site-to-site tunnels, and include
setting the Internet Key Exchange (IKE) policy (IKE is part of the Internet Security Association and Key
Management Protocol (ISAKMP)) and the IPSec transforms:
Step 1 To set the IKE encryption algorithm, enter the following command:
FWSM/contexta(config)# isakmp policy
priority
encryption {des | 3des}
The 3des keyword is more secure than des.
You can have multiple IKE policies. The FWSM tries each policy in order of the priority until the policy
matches the peer policy. The priority can be an integer from 1 to 65,534, with 1 being the highest priority
and 65,534 the lowest. Use this same priority number for the following isakmp commands.
To Next Page
Loading...
Need help?
General