Is it possible to combine vpn 'types' such that a cisco 837 running ez-vpn server is able to terminate VPN tunnels from cisco vpn clients, as well as terminating a site-site vpn from another cisco 837 ?
i am aware of a limitation of the IOS vpn server that allows only a single 'crypto-map' to be applied to an interface , but was wondering if the two VPN types can be combined as above ?
aaa new-model ! ! aaa authentication login userauthenticate local aaa authorization network groupauthorise local aaa session-id common ip subnet-zero ip domain name psvvglobal.com
! !
ip inspect name INTERNET-OUT tcp alert on audit-trail on ip inspect name INTERNET-OUT udp alert on audit-trail on ip inspect name INTERNET-OUT ftp alert on audit-trail on ip inspect name INTERNET-OUT realaudio alert on audit-trail on ip inspect name INTERNET-OUT rtsp alert on audit-trail on ip inspect name INTERNET-IN tcp alert on audit-trail on ip inspect name INTERNET-IN udp alert on audit-trail on ip inspect name INTERNET-IN ftp alert on audit-trail on ip inspect name INTERNET-IN realaudio alert on audit-trail on ip inspect name INTERNET-IN rtsp alert on audit-trail on
crypto map fw1 10 ipsec-isakmp set peer 21.22.40.110 set security-association lifetime seconds 86400 set transform-set ciscofw2 match address 110
crypto map fw1 15 ipsec-isakmp dynamic dynmap ! ! ! ! interface Ethernet0 description $FW_INSIDE$ psvv London ### ip address 192.168.16.254 255.255.255.0 ip access-group E0-in in ip nat inside ip tcp adjust-mss 1392 ! interface Ethernet1 description $FW_OUTSIDE$ outside Ethernet ip address 21.6.103.41 255.255.255.0 ip access-group Internet-in in ip nat outside ip inspect INTERNET-IN in ip inspect INTERNET-OUT out crypto map fw1 ! ! ip local pool ippool 10.10.16.1 10.10.16.254 ip nat inside source route-map nonat interface Ethernet1 overload ip nat inside source static 192.168.16.1 21.6.103.46 route-map static- nat extendable ip classless ip route 0.0.0.0 0.0.0.0 21.6.103.254 ip http server ip http access-class 23 ip http authentication local ip http secure-server ! !
ip access-list extended split-tunnel permit ip 192.168.16.0 0.0.0.255 any permit ip 192.168.58.0 0.0.0.255 any
access-list 105 remark ### Client VPN Crypto Map permissions #### access-list 105 permit ip host 192.168.16.1 any access-list 105 deny ip any any log
0.0.0.255 access-list 110 permit ip 10.10.16.0 0.0.0.255 192.168.58.0 0.0.0.255
access-list 115 remark VPN Client Rule access-list 115 remark SDM_ACL Category=4 access-list 115 permit ip any any
access-list 120 deny ip host 192.168.16.1 any access-list 120 remark No NAT List access-list 120 remark SDM_ACL Category=18 access-list 120 deny ip 192.168.16.0 0.0.0.255 192.168.58.0
0.0.0.255 access-list 120 deny ip 192.168.16.0 0.0.0.255 10.10.16.0 0.0.0.255 access-list 120 permit ip 192.168.16.0 0.0.0.255 any
access-list 121 remark Static NAT List access-list 121 deny ip 192.168.16.0 0.0.0.255 192.168.58.0
0.0.0.255 access-list 121 deny ip 192.168.16.0 0.0.0.255 10.10.16.0 0.0.0.255 access-list 121 permit ip host 192.168.16.1 any
route-map static-nat permit 4 match ip address 121 ! route-map nonat permit 5 match ip address 120 !
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.