Hi,
On our router we current have a crypto map for the site to site. How do I add merge a new one created for VPN users to the same interface?
crypto map CMAP - currenly assinged to exteranal - site to site
created map called EXT_MAP for client VPNs - This is actually in use before we created the tunnel.
Thanks for your help, new to this, so any help would do!
Config as follows
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Reading
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxxxxxxxxxxxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login VPN_CLIENT_LOGIN local
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network VPN_CLIENT_GROUP local
!
!
aaa session-id common
clock timezone EST -5
clock summer-time EDT recurring
dot11 syslog
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.88.53.1
ip dhcp excluded-address 10.88.53.2 10.88.53.49
ip dhcp excluded-address 10.88.53.68
ip dhcp excluded-address 10.88.53.102
ip dhcp excluded-address 10.88.53.105
ip dhcp excluded-address 10.88.53.53
ip dhcp excluded-address 10.88.53.108
!
ip dhcp pool UK_LAN
network 10.88.53.0 255.255.255.0
domain-name xxxxxxxxxxxxx
default-router 10.88.53.1
dns-server 192.168.51.20 192.168.51.10
lease 8
!
!
no ip domain lookup
ip domain name xxxxxxxxxxxx
ip name-server 10.88.53.102
login on-failure log
login on-success log
!
multilink bundle-name authenticated
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-825856865
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-825856865
revocation-check none
rsakeypair TP-self-signed-825856865
!
!
crypto pki certificate chain TP-self-signed-825856865
certificate self-signed 01
xxxxxxx
quit
!
!
username xxxxxxxxxxx
username xxxxxxxxxx
username xxxxxxxxx
username xxxxxxxxxxxx
username xxxxxxxxxxx
username xxxxxxxxxxxxxx
archive
log config
hidekeys
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key xxxxxxxxxxxx address xx(remote site VPN IP)
!
crypto isakmp client configuration group VPN_CLIENTS
key xxxxxxxxx
dns 10.88.53.102
pool VPN_CLIENT_POOL
acl 110
!
!
crypto ipsec transform-set TRANS_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TS esp-3des esp-sha-hmac
!
crypto dynamic-map EXT_DYNAMIC_MAP 10
set transform-set TRANS_3DES_SHA
!
!
crypto map CMAP 10 ipsec-isakmp
set peer xxx remote peer address
set transform-set TS
set pfs group2
match address VPN-TUNNEL
!
crypto map EXT_MAP client authentication list VPN_CLIENT_LOGIN
crypto map EXT_MAP isakmp authorization list VPN_CLIENT_GROUP
crypto map EXT_MAP client configuration address respond
crypto map EXT_MAP 10 ipsec-isakmp dynamic EXT_DYNAMIC_MAP
!
!
!
!
ip ftp username xxxxxxxxxxxxxxxxxx
ip ftp password xxxxxxxxxxxxxxxxxx
ip ssh source-interface FastEthernet0/1
ip ssh logging events
ip ssh version 2
!
!
!
interface FastEthernet0/0
ip address 10.88.53.1 255.255.255.0
ip access-group OUTBOUND_FILTER in
no ip redirects
no ip proxy-arp
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description To Internet
ip address xxxxxxxxxx xxxxxxxxxxxxxxx
ip access-group INBOUND_FILTER in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map CMAP
!
ip local pool VPN_CLIENT_POOL 192.168.240.20 192.168.240.50
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 xxxxxxxxxxxx
!
!
no ip http server
ip http secure-server
ip nat inside source list 101 interface FastEthernet0/1 overload
!
ip access-list standard SNMP-ACL
permit 10.75.139.90
deny any log
ip access-list standard SSH-ACL
permit xxxxxxxxxxxx
!
ip access-list extended INBOUND_FILTER
permit udp any eq domain any
permit tcp any eq domain any
permit tcp any eq www any
permit tcp any eq 563 any
permit udp any eq 563 any
permit tcp any eq 443 any
permit udp any eq 443 any
permit tcp any any eq 1723
permit tcp any eq ftp any
permit gre any any
permit tcp any eq 3389 any
permit tcp any eq ftp-data any
permit tcp any any range 1023 65535
permit icmp any any
permit tcp any eq 1723 any
permit tcp any eq smtp any
permit tcp any eq pop3 any
permit tcp any host xxxxxxxx
permit tcp host xxxx host xxxxxx eq 22
permit udp any host xxx.xxx.xxx.xxxxeq isakmp
permit udp any host xxx.xxx.xxx.xxxxeq non500-isakmp
permit esp any host xxxxxxxx
permit ahp any host xxxxxxxxxx
permit tcp host xxxxx host xxx.xxx.xxx.xxxxeq 22
permit tcp host xxxxxx host xxx.xxx.xxx.xxxxeq 22
permit ip 10.88.53.0 0.0.0.255 192.168.240.0 0.0.0.255
permit tcp host xxxxxx host xxx.xxx.xxx.xxxxeq 22
ip access-list extended OUTBOUND_FILTER
deny tcp 10.88.53.0 0.0.0.255 any eq smtp
permit ip any any
permit icmp any any
ip access-list extended VPN-TUNNEL
permit ip 10.88.53.0 0.0.0.255 192.168.51.0 0.0.0.255
ip access-list extended ssh-acl
permit ip host 24.197.168.10 any
!
access-list 101 deny ip 10.88.0.0 0.0.255.255 192.168.240.0 0.0.0.255
access-list 101 deny ip 10.88.53.0 0.0.0.255 192.168.240.0 0.0.0.255
access-list 101 deny ip 10.88.53.0 0.0.0.255 192.168.51.0 0.0.0.255
access-list 101 permit ip 10.88.53.0 0.0.0.255 any
access-list 110 permit ip 10.88.53.0 0.0.0.255 192.168.240.0 0.0.0.255
!
!
!
!
!
!
control-plane
!
!
banner login
******************************************************************
* WARNING *
IF YOU ARE NOT AUTHORISED TO ACCESS THIS SYSTEM EXIT IMMEDIATELY
******************************************************************
!
line con 0
exec-timeout 30 0
logging synchronous
line aux 0
line vty 0 4
exec-timeout 30 0
logging synchronous
transport input ssh
!
scheduler allocate 20000 1000
ntp clock-period 17178065
ntp server xxxx
ntp server xxxxx
ntp server xxxxxxx
end
