11-9
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
OL-6392-01
Chapter 11 Allowing Remote Management
Allowing a VPN Management Connection
Configuring a Site-to-Site Tunnel
To configure a site-to-site tunnel, first configure basic VPN settings (see “Configuring Basic Settings
for All Tunnels”), and then follow these steps:
Step 1 To set the shared key used by both peers, enter the following command:
FWSM/contexta(config)# isakmp key
keystring
address
peer-address
Step 2 To identify the traffic allowed to go over the tunnel, enter the following command:
FWSM/contexta(config)# access-list
acl_name
[extended]
{deny | permit}
{
protocol
} host
fwsm_interface_address dest_address mask
For the destination address, specify the addresses that are allowed to access the FWSM.
See the “Adding an Extended Access Control List” section on page 10-13 for more information about
ACLs.
Step 3 To create an IPSec tunnel, enter the following command:
FWSM/contexta(config)# crypto map
crypto_map_name
priority
ipsec-isakmp
All tunnel attributes are identified by the same crypto map name.
The priority specifies the order in which multiple commands are evaluated. If you have a command for
this crypto map name that specifies ipsec-isakmp, and another that specifies ipsec-isakmp dynamic
(for VPN client connections), then the priority number determines the command that is evaluated first.
Step 4 To assign the ACL from Step 2 to this tunnel, enter the following command:
FWSM/contexta(config)# crypto map
crypto_map_name priority
match address
acl_name
Step 5 To specify the remote peer on which this tunnel terminates, enter the following command:
FWSM/contexta(config)# crypto map
crypto_map_name
priority
set peer
ip_address
Step 6 To specify the transform sets for this tunnel (defined in the “Configuring Basic Settings for All Tunnels”
section on page 11-5), enter the following command:
FWSM/contexta(config)# crypto map
crypto_map_name
priority
set transform-set
transform_set1
[
transform_set2
] [...]
List multiple transform sets in order of priority (highest priority first). You can specify up to six
transform sets.
Step 7 To specify the interface at which you want this tunnel to terminate, enter the following command:
FWSM/contexta(config)# crypto map
crypto_map_name
interface
interface_name
You can apply only one crypto map name to an interface, so if you want to terminate both a site-to-site
tunnel and VPN clients on the same interface, they need to share the same crypto map name.
This command must be entered after all other crypto map commands. If you change any crypto map
settings, remove this command with the no prefix, and reenter it.
Step 8 To allow Telnet or SSH access, see the “Allowing Telnet” section on page 11-1 and the “Allowing SSH”
section on page 11-2.
For example, the following commands allow hosts connected to the peer router (209.165.202.129) to use
Telnet on the outside interface (209.165.200.225).
To Next Page
Loading...
Need help?
General