cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2463
Views
0
Helpful
1
Replies

Crypto map for VPN users

bheire1973
Level 1
Level 1

Hi,

On our router we current have a crypto map for the site to site. How do I add merge a new one created for VPN users to the same interface?

crypto map CMAP - currenly assinged to exteranal - site to site

created map called EXT_MAP for client VPNs - This is actually in use before we created the tunnel.

Thanks for your help, new to this, so any help would do!

Config as follows

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Reading

!

boot-start-marker

boot-end-marker

!

enable secret 5 xxxxxxxxxxxxxxxxxx

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login VPN_CLIENT_LOGIN local

aaa authorization network sdm_vpn_group_ml_1 local

aaa authorization network VPN_CLIENT_GROUP local

!

!

aaa session-id common

clock timezone EST -5

clock summer-time EDT recurring

dot11 syslog

ip cef

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 10.88.53.1

ip dhcp excluded-address 10.88.53.2 10.88.53.49

ip dhcp excluded-address 10.88.53.68

ip dhcp excluded-address 10.88.53.102

ip dhcp excluded-address 10.88.53.105

ip dhcp excluded-address 10.88.53.53

ip dhcp excluded-address 10.88.53.108

!

ip dhcp pool UK_LAN

   network 10.88.53.0 255.255.255.0

   domain-name xxxxxxxxxxxxx

   default-router 10.88.53.1

   dns-server 192.168.51.20 192.168.51.10

   lease 8

!

!

no ip domain lookup

ip domain name xxxxxxxxxxxx

ip name-server 10.88.53.102

login on-failure log

login on-success log

!

multilink bundle-name authenticated

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-825856865

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-825856865

revocation-check none

rsakeypair TP-self-signed-825856865

!

!

crypto pki certificate chain TP-self-signed-825856865

certificate self-signed 01

xxxxxxx

      quit

!

!

username xxxxxxxxxxx

username xxxxxxxxxx

username xxxxxxxxx

username xxxxxxxxxxxx

username xxxxxxxxxxx

username xxxxxxxxxxxxxx

archive

log config

  hidekeys

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

lifetime 28800

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

lifetime 3600

crypto isakmp key xxxxxxxxxxxx address xx(remote site VPN IP)

!

crypto isakmp client configuration group VPN_CLIENTS

key xxxxxxxxx

dns 10.88.53.102

pool VPN_CLIENT_POOL

acl 110

!

!

crypto ipsec transform-set TRANS_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TS esp-3des esp-sha-hmac

!

crypto dynamic-map EXT_DYNAMIC_MAP 10

set transform-set TRANS_3DES_SHA

!

!

crypto map CMAP 10 ipsec-isakmp

set peer xxx remote peer address

set transform-set TS

set pfs group2

match address VPN-TUNNEL

!

crypto map EXT_MAP client authentication list VPN_CLIENT_LOGIN

crypto map EXT_MAP isakmp authorization list VPN_CLIENT_GROUP

crypto map EXT_MAP client configuration address respond

crypto map EXT_MAP 10 ipsec-isakmp dynamic EXT_DYNAMIC_MAP

!

!

!

!

ip ftp username xxxxxxxxxxxxxxxxxx

ip ftp password xxxxxxxxxxxxxxxxxx

ip ssh source-interface FastEthernet0/1

ip ssh logging events

ip ssh version 2

!

!

!

interface FastEthernet0/0

ip address 10.88.53.1 255.255.255.0

ip access-group OUTBOUND_FILTER in

no ip redirects

no ip proxy-arp

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

description To Internet

ip address xxxxxxxxxx xxxxxxxxxxxxxxx

ip access-group INBOUND_FILTER in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map CMAP

!

ip local pool VPN_CLIENT_POOL 192.168.240.20 192.168.240.50

no ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 xxxxxxxxxxxx

!

!

no ip http server

ip http secure-server

ip nat inside source list 101 interface FastEthernet0/1 overload

!

ip access-list standard SNMP-ACL

permit 10.75.139.90

deny   any log

ip access-list standard SSH-ACL

permit xxxxxxxxxxxx

!

ip access-list extended INBOUND_FILTER

permit udp any eq domain any

permit tcp any eq domain any

permit tcp any eq www any

permit tcp any eq 563 any

permit udp any eq 563 any

permit tcp any eq 443 any

permit udp any eq 443 any

permit tcp any any eq 1723

permit tcp any eq ftp any

permit gre any any

permit tcp any eq 3389 any

permit tcp any eq ftp-data any

permit tcp any any range 1023 65535

permit icmp any any

permit tcp any eq 1723 any

permit tcp any eq smtp any

permit tcp any eq pop3 any

permit tcp any host xxxxxxxx

permit tcp host xxxx host xxxxxx eq 22

permit udp any host xxx.xxx.xxx.xxxxeq isakmp

permit udp any host xxx.xxx.xxx.xxxxeq non500-isakmp

permit esp any host xxxxxxxx

permit ahp any host xxxxxxxxxx

permit tcp host xxxxx host xxx.xxx.xxx.xxxxeq 22

permit tcp host xxxxxx host xxx.xxx.xxx.xxxxeq 22

permit ip 10.88.53.0 0.0.0.255 192.168.240.0 0.0.0.255

permit tcp host xxxxxx  host xxx.xxx.xxx.xxxxeq 22

ip access-list extended OUTBOUND_FILTER

deny   tcp 10.88.53.0 0.0.0.255 any eq smtp

permit ip any any

permit icmp any any

ip access-list extended VPN-TUNNEL

permit ip 10.88.53.0 0.0.0.255 192.168.51.0 0.0.0.255

ip access-list extended ssh-acl

permit ip host 24.197.168.10 any

!

access-list 101 deny   ip 10.88.0.0 0.0.255.255 192.168.240.0 0.0.0.255

access-list 101 deny   ip 10.88.53.0 0.0.0.255 192.168.240.0 0.0.0.255

access-list 101 deny   ip 10.88.53.0 0.0.0.255 192.168.51.0 0.0.0.255

access-list 101 permit ip 10.88.53.0 0.0.0.255 any

access-list 110 permit ip 10.88.53.0 0.0.0.255 192.168.240.0 0.0.0.255

!

!

!

!

!

!

control-plane

!

!

banner login 

******************************************************************

                            * WARNING *

IF YOU ARE NOT AUTHORISED TO ACCESS THIS SYSTEM EXIT IMMEDIATELY

******************************************************************

!

line con 0

exec-timeout 30 0

logging synchronous

line aux 0

line vty 0 4

exec-timeout 30 0

logging synchronous

transport input ssh

!

scheduler allocate 20000 1000

ntp clock-period 17178065

ntp server xxxx

ntp server xxxxx

ntp server xxxxxxx

end

1 Reply 1

Richard Burts
Hall of Fame
Hall of Fame

An interface can have only one crypto map applied to it. So unless there are to be two interfaces carrying the VPN traffic (and this config is pretty clear that there is only one interface that will carry VPN traffic) then you need to combine the logic of two separate crypto maps into a single crypto map. (the reason that the crypto map has a number (crypto map CMAP 10 ipsec-isakmp) is so that you can have multiple instances within the crypto map to handle different logic).

HTH

Rick

HTH

Rick
Review Cisco Networking for a $25 gift card