Creating a Client VPN Policy

!— Access List for NAT-0

access-list NAT-0-INSIDE remark — No address translation for the VPN connections to Local LAN
access-list NAT-0-INSIDE permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0

!— Access List for VPN Clients to Inside

access-list OUTSIDE-IN permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0

!— Setting up DHCP Pool for Clients

ip local pool VPNPOOL1 192.168.10.1-192.168.10.254

!— No NAT from VPN to Inside

nat (inside) 0 access-list NAT-0-INSIDE

!— Authentication

aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server RADIUS (inside) host [Radius Server] [Radius Session Key] timeout 5
aaa-server LOCAL protocol local

!— Configure a transform set that defines how the traffic will be protected.

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

!— Create a dynamic crypto map and specify which
!— transform sets are allowed for this dynamic crypto map entry.

crypto dynamic-map VPNUSERSZONE 10 set transform-set ESP-3DES-MD5

!— Add the dynamic crypto map set into a static crypto map set.

crypto map VPNZONE 10 ipsec-isakmp dynamic VPNUSERSZONE

!— ???

crypto map VPNZONE client configuration address initiate
crypto map VPNZONE client configuration address respond

!— Enable the PIX to launch the Xauth application on the VPN Client.

crypto map VPNZONE client authentication LOCAL

!— Apply the crypto map to the outside interface.

crypto map VPNZONE interface outside

!— IKE Policy Configuration.

isakmp enable outside
isakmp identity address
isakmp client configuration address-pool local VPNPOOL1 outside
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

!— IPSec group configuration for VPN Client.

vpngroup VPNCLIENTS1 address-pool VPNPOOL1
vpngroup VPNCLIENTS1 dns-server 192.168.1.17
vpngroup VPNCLIENTS1 default-domain domain.com
vpngroup VPNCLIENTS1 idle-time 1800
vpngroup VPNCLIENTS1 password 1234567890

Leave a Reply