Script config VPN client IPSec su PIX\ASA IOS 7-8

Virtual private networks e affini

Moderatore: Federico.Lagni

Rispondi
Avatar utente
Wizard
Intergalactic subspace network admin
Messaggi: 3441
Iscritto il: ven 03 feb , 2006 10:04 am
Località: Emilia Romagna
Contatta:

### PRIMO PROFILO VPN CLIENT ###

Codice: Seleziona tutto

crypto isakmp enable outside

access-list remoti_split standard permit host 129.6.75.1

username user01 password *** encrypted privilege 0
username user01 attributes
vpn-group-policy remoti
group-lock value remoti

ip local pool vpn-pool 129.6.75.110-129.6.75.120

group-policy remoti internal
group-policy remoti attributes

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified
split-tunnel-network-list value remoti_split

tunnel-group remoti type ipsec-ra
tunnel-group remoti general-attributes
default-group-policy remoti
address-pool  vpn-pool
tunnel-group remoti ipsec-attributes
pre-shared-key 987bdhnksa()0%

crypto isakmp policy 10 authen pre-share
crypto isakmp policy 10 encrypt 3des
crypto isakmp policy 10 hash md5
crypto isakmp policy 10 group 2
crypto isakmp policy 10 lifetime 86400
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface  outside

crypto isakmp nat-traversal 20
crypto isakmp disconnect-notify
crypto isakmp reload-wait
vpn-sessiondb max-session-limit  10

access-list NAT0-ACL remark *** NAT0 PER VPN CLIENT ***
access-list NAT0-ACL extended permit ip 129.6.75.0 255.255.255.0 129.6.75.0 255.255.255.0
nat (inside) 0 access-list NAT0-ACL
### CONFIG DEFAULT POLICY ###

Codice: Seleziona tutto


group-policy DfltGrpPolicy attributes
vpn-idle-timeout none
vpn-simultaneous-logins 10
split-dns value ***.***.loc
dns-server value 129.6.75.100
default-domain value ***.***.loc
banner none
banner value ****************************************************************
banner value ---------------------------------------------------------------
banner value 		VPN AZIENDALE ***
banner value ---------------------------------------------------------------
banner value WARNING: System is RESTRICTED to authorized personnel ONLY!
banner value Unauthorized use of this system will be logged and
banner value prosecuted to the fullest extent of the law.
banner value If you are NOT authorized to use this system, LOG OFF NOW!
banner value ****************************************************************
### SECONDO PROFILO VPN CLIENT ###

Codice: Seleziona tutto

access-list remoti-lan_SPLIT standard permit 129.6.75.0 255.255.255.0
username vpnadmin password *** encrypted privilege 0
username vpnadmin attributes
vpn-group-policy remoti-lan
group-lock value remoti-lan
group-policy remoti-lan internal
group-policy remoti-lan attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value remoti-lan_SPLIT
tunnel-group remoti-lan type ipsec-ra
tunnel-group remoti-lan general-attributes
default-group-policy remoti-lan
address-pool  vpn-pool
tunnel-group remoti-lan ipsec-attributes
pre-shared-key jhbhjabgew765723)=)%
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
Il futuro è fatto di persone che hanno delle intuizioni e visioni .....sono quelle persone che fanno la differenza...... quelle dotate di un TERZO OCCHIO....
thehawk
Cisco power user
Messaggi: 101
Iscritto il: mer 25 ott , 2006 7:32 am

Caro Wizard,
il pool deve essere corrispondente ad una net realmente esistente sul pix/asa, oppure non c'è bisogno di questa restrizione ?

Dove sta il comando vpn-filter per l'acl che discrimina il traffico da filtrare ?

Probabilmente il filtro è discriminato dal vpn-group-policy dello username ?
thehawk
Cisco power user
Messaggi: 101
Iscritto il: mer 25 ott , 2006 7:32 am

Altra domanda.
Se inserisco il comandoVpn-filter devo comunque attivare l'acl dall 'interfaccia Outside verso la net da raggiungere da remoto ?
thehawk
Cisco power user
Messaggi: 101
Iscritto il: mer 25 ott , 2006 7:32 am

Help Help
Rispondi