Creating a Client VPN Policy
!--- Access List for NAT-0
access-list NAT-0-INSIDE remark --- No address translation for the VPN connections to Local LAN
access-list NAT-0-INSIDE permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0
!--- Access List for VPN Clients to Inside
access-list OUTSIDE-IN permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0
!--- Setting up DHCP Pool for Clients
ip local pool VPNPOOL1 192.168.10.1-192.168.10.254
!--- No NAT from VPN to Inside
nat (inside) 0 access-list NAT-0-INSIDE
!--- Authentication
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server RADIUS (inside) host [Radius Server] [Radius Session Key] timeout 5
aaa-server LOCAL protocol local
!--- Configure a transform set that defines how the traffic will be protected.
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
!--- Create a dynamic crypto map and specify which
!--- transform sets are allowed for this dynamic crypto map entry.
crypto dynamic-map VPNUSERSZONE 10 set transform-set ESP-3DES-MD5
!--- Add the dynamic crypto map set into a static crypto map set.
crypto map VPNZONE 10 ipsec-isakmp dynamic VPNUSERSZONE
!--- ???
crypto map VPNZONE client configuration address initiate
crypto map VPNZONE client configuration address respond
!--- Enable the PIX to launch the Xauth application on the VPN Client.
crypto map VPNZONE client authentication LOCAL
!--- Apply the crypto map to the outside interface.
crypto map VPNZONE interface outside
!--- IKE Policy Configuration.
isakmp enable outside
isakmp identity address
isakmp client configuration address-pool local VPNPOOL1 outside
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
!--- IPSec group configuration for VPN Client.
vpngroup VPNCLIENTS1 address-pool VPNPOOL1
vpngroup VPNCLIENTS1 dns-server 192.168.1.17
vpngroup VPNCLIENTS1 default-domain domain.com
vpngroup VPNCLIENTS1 idle-time 1800
vpngroup VPNCLIENTS1 password 1234567890
