EasyVPN Cisco IOS
From Teknologisk videncenter
Example
Cisco 819 EasyVPN client
!
ip dhcp pool RFC1918
import all
network 192.168.44.0 255.255.255.0
default-router 192.168.44.1
dns-server 8.8.8.8
!
crypto ipsec client ezvpn HW-CLIENT
connect auto
group HW-CLIENT-GROUP45 key HW-GROUP5
mode client
peer 83.90.239.189
xauth userid mode interactive
!
interface Cellular0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation slip
dialer in-band
dialer pool-member 1
dialer-group 1
!
interface Vlan1
ip addre 255.255.255.0
ip nat inside
ip virtual-reassembly in
crypto ipsec client ezvpn HW-CLIENT inside
!
interface Dialer 1
ip address negotiated
ip nat outside
dialer-group 1
crypto ipsec client ezvpn HW-CLIENT
!
nat inside source list 140 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
access-list 107 permit ip 194.0 0.0.0.255 192.168.40.0 0.0.0.255
access-list 140 deny ip any 192.168.40.0 0.0.0.255
access-list 140 permit ip 192.168.44.00.255 anyCisco 897 EasyVPN server
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration address-pool local EZVPN-POOL
!
crypto isakmp client configuration group HW-CLIENT-GROUP45
key HW-GROUP5
dns 192.168.40.1
domain tekkom.local
pool EZVPN-POOL
acl EZVPN-ACL
!
!
crypto ipsec transform-set TS esp-3des esp-sha-hmac
mode tunnel
!
crypto dynamic-map EZVPN-MAP 1
set transform-set TS
reverse-route
!
crypto map EZVPN-MAP isakmp authorization list HW-CLIENT-GROUP45
crypto map EZVPN-MAP client configuration address respond
crypto map EZVPN-MAP 1 ipsec-isakmp dynamic EZVPN-MAP
!
interface GigabitEthernet8
bandwidth 1000000
no ip address
ip nat outside
ip virtual-reassembly in
load-interval 30
duplex auto
speed auto
service-policy output PARENT
!
interface GigabitEthernet8.66
description INTERNET
encapsulation dot1Q 66
ip address dhcp
ip nat outside
ip virtual-reassembly in
zone-member security INTERNET
crypto map EZVPN-MAP
!
interface Vlan1
description DMZ
ip address 192.168.40.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security DMZ
!
ip local pool EZVPN-POOL 192.168.40.100 192.168.40.12
!
ip access-list extended EZVPN-ACL
permit ip 192.168.40.0 0.0.0.255 any
ip access-list extended INT2self-ACL
permit udp any eq domain any gt 1023
ip access-list extended IP-TO-NAT
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip 192.168.40.0 0.0.7.255 any
permit ip 192.168.48.0 0.0.1.255 any
!