Security: Remote Access VPN

Moments ago Raj and I tried the remote access vpn and accessing each other’s services under encrypted tunnel.

Define local pool

ip local pool vpnpool 192.168.10.10-192.168.10.20 mask 255.255.255.0

 

Define username and password for remote user

username guest password guest privilege 0

(You would not want your remote user to have full privilege of an admin)

 

Permit vpn traffic over the internet

sysopt connection permit-vpn

(Exempt vpn traffic from the outside from access list checking)

 

Permit same security level intra interface

same-security-traffic permit intra-interface

(Your remote user’s traffic will traverse to and fro from the same interface as your local network, default this kind of traffic is dropped.)

 

Exempt encrypted traffic from nat

access-list vpn-traffic extended permit ip object-group internal object-group remote

object-group network internal

network-object 192.168.20.0 255.255.255.0

object-group network remote

network-object 192.168.10.0 255.255.255.0

nat (inside) 0 access-list vpn-traffic

 

Define group-policy

group-policy cyrus-policy internal

group-policy cyrus-policy attributes

dns-server value 8.8.8.8

vpn-idle-timeout 60

 

Define isakmp (ike phase 1)

crypto isakmp enable outside

(isakmp has to be enabled on the outside interface where your remote user traffic is terminating)

crypto isakmp policy 1

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

 

Define ipsec (ike phase 2)

crypto ipsec transform-set vpn-set esp-aes esp-sha-hmac

 

Create dynamic map

crypto dynamic-map vpn-dyn 1 set transform-set vpn-set

 

Create crypto map

crypto map vpn-map 1 ipsec-isakmp dynamic vpn-dyn

 

Apply crypto map on the outside interface

crypto map vpn-map interface outside

 

Define tunnel-group

tunnel-group vpnclient type remote-access

tunnel-group vpnclient general-attributes

address-pool vpnpool

default-group-policy cyrus-policy

tunnel-group vpnclient ipsec-attributes

pre-shared-key *

Your Easy vpn client should set the name to vpnclient (tunnel-group name), and the passwords are preshare key defined in your tunnel-group.

Advertisements
This entry was posted in Security, VPN and tagged , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s