Is it possible to combine vpn 'types' such that a cisco 837 running ez-vpn server is able to terminate VPN tunnels from cisco vpn clients, as well as terminating a site-site vpn from another cisco 837 ?
i am aware of a limitation of the IOS vpn server that allows only a single 'crypto-map' to be applied to an interface , but was wondering if the two VPN types can be combined as above ?
Thanks
I don't exactly know what ez-vpn is but you can certainly terminate router to router ipsec tunnels and Cisco VPN clients on the same router.
I may have an example config. Will have a dig.
As regards the single cryoto map limit, thing is that a single crypto map can have many "crypto map" statements.
This may have worked. I have sanitised it, hopefully not breaking it.
! hostname psvvuk !
username admin privilege 5 password 7 username psvvClient password 7 username cisco password 7
aaa new-model ! ! aaa authentication login userauthenticate local aaa authorization network groupauthorise local aaa session-id common ip subnet-zero ip domain name psvvglobal.com
! !
ip inspect name INTERNET-OUT tcp alert on audit-trail on ip inspect name INTERNET-OUT udp alert on audit-trail on ip inspect name INTERNET-OUT ftp alert on audit-trail on ip inspect name INTERNET-OUT realaudio alert on audit-trail on ip inspect name INTERNET-OUT rtsp alert on audit-trail on ip inspect name INTERNET-IN tcp alert on audit-trail on ip inspect name INTERNET-IN udp alert on audit-trail on ip inspect name INTERNET-IN ftp alert on audit-trail on ip inspect name INTERNET-IN realaudio alert on audit-trail on ip inspect name INTERNET-IN rtsp alert on audit-trail on
ip ssh time-out 60 ip ssh authentication-retries 2 no ftp-server write-enable ! ! ! ! crypto isakmp policy 3 encr 3des authentication pre-share group 2 ! crypto isakmp policy 10 encr 3des hash md5 authentication pre-share crypto isakmp key 0 xxxxx address 21.22.40.110 no-xauth ! crypto isakmp client configuration group 3000client key 0 yyyyy dns 192.168.168.1 domain psvvlon.psvvglobal.com pool ippool acl split-tunnel ! ! crypto ipsec transform-set ciscofw2 esp-3des esp-md5-hmac ! crypto dynamic-map dynmap 5 set transform-set ciscofw2 ! ! crypto map fw1 client authentication list userauthenticate crypto map fw1 isakmp authorization list groupauthorise crypto map fw1 client configuration address respond
crypto map fw1 10 ipsec-isakmp set peer 21.22.40.110 set security-association lifetime seconds 86400 set transform-set ciscofw2 match address 110
crypto map fw1 15 ipsec-isakmp dynamic dynmap ! ! ! ! interface Ethernet0 description $FW_INSIDE$ psvv London ### ip address 192.168.16.254 255.255.255.0 ip access-group E0-in in ip nat inside ip tcp adjust-mss 1392 ! interface Ethernet1 description $FW_OUTSIDE$ outside Ethernet ip address 21.6.103.41 255.255.255.0 ip access-group Internet-in in ip nat outside ip inspect INTERNET-IN in ip inspect INTERNET-OUT out crypto map fw1 ! ! ip local pool ippool 10.10.16.1 10.10.16.254 ip nat inside source route-map nonat interface Ethernet1 overload ip nat inside source static 192.168.16.1 21.6.103.46 route-map static- nat extendable ip classless ip route 0.0.0.0 0.0.0.0 21.6.103.254 ip http server ip http access-class 23 ip http authentication local ip http secure-server ! !
ip access-list extended split-tunnel permit ip 192.168.16.0 0.0.0.255 any permit ip 192.168.58.0 0.0.0.255 any
access-list 105 remark ### Client VPN Crypto Map permissions #### access-list 105 permit ip host 192.168.16.1 any access-list 105 deny ip any any log
access-list 110 remark crypto map psvv access-list 110 permit ip 192.168.16.0 0.0.0.255 192.168.58.0
0.0.0.255 access-list 110 permit ip 10.10.16.0 0.0.0.255 192.168.58.0 0.0.0.255access-list 115 remark VPN Client Rule access-list 115 remark SDM_ACL Category=4 access-list 115 permit ip any any
access-list 120 deny ip host 192.168.16.1 any access-list 120 remark No NAT List access-list 120 remark SDM_ACL Category=18 access-list 120 deny ip 192.168.16.0 0.0.0.255 192.168.58.0
0.0.0.255 access-list 120 deny ip 192.168.16.0 0.0.0.255 10.10.16.0 0.0.0.255 access-list 120 permit ip 192.168.16.0 0.0.0.255 anyaccess-list 121 remark Static NAT List access-list 121 deny ip 192.168.16.0 0.0.0.255 192.168.58.0
0.0.0.255 access-list 121 deny ip 192.168.16.0 0.0.0.255 10.10.16.0 0.0.0.255 access-list 121 permit ip host 192.168.16.1 anyroute-map static-nat permit 4 match ip address 121 ! route-map nonat permit 5 match ip address 120 !
excellent, my thanks to you for the post reply
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.