After have showed the commands to create a VPN Site-To-Site we have another type of Virtual Private Network, it’s called VPN Client-To-Site. This type of service allows at the remote PC (ex. Home PC) to connect at the LAN of your Company, the Teleworkers. The configuration is a bit different than Site-To-Site and of following is reported part of it applied at the above network. Central Site Router is named ROUTER-A.
ROUTER-A
username USERNAME secret 0 USER12345
!
crypto isakmp enable
crypto logging session
enable secret 0 USER54321
!
aaa new-model
aaa authentication login userauthen local
aaa authentication banner *Unauthorized Access Prohibited*
aaa authorization network groupauthor local
!
crypto isakmp policy 3
encr 3des hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group remote-vpn-client
banner ^C*** You are connected to the IOS Router by VPN Client-To-Site ***^C
key 54321
domain mycompany.com
pool remote-vpn-pool
max-users 10
max-logins 10
acl 150
!
crypto ipsec transform-set VPN-SET esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
description *** Client to Site VPN Users ***
set transform-set VPN-SET
reverse-route
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap 65535 ipsec-isakmp dynamic dynmap
!
interface FastEthernet0/0
description *** ROUTER-A --> LAN ***
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no keepalive
!
interface Serial0/0/0
no ip address
encapsulation frame-relay IETF
logging event subif-link-status
logging event dlci-status-change
ip access-group 103 in
load-interval 30
no fair-queue
frame-relay lmi-type ansi
!
interface Serial0/0/0.1 point-to-point
description *** ROUTER-A --> WAN ***
ip address 172.16.1.1 255.255.255.252
ip nat outside
ip virtual-reassembly
snmp trap link-status
no cdp enable
no arp frame-relay frame-relay
interface-dlci 100 IETF
crypto map clientmap
!
ip local pool remote-vpn-pool 10.0.0.250 10.0.0.254
!
ip route 0.0.0.0 0.0.0.0 Serial0/0/0.1
!
ip nat inside source route-map VPN-NAT interface Serial0/0/0.1 overload
!
access-list 100 remark *** ACL NAT ***
access-list 100 deny ip 10.10.10.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 100 permit ip 10.10.10.0 0.0.0.255 any
!
access-list 103 remark *** OPEN THE PORTS FOR SSH/TELNET SERVICES ON THE ROUTER ***
access-list 103 permit tcp any any eq 22
access-list 103 permit tcp any any eq telnet
access-list 103 permit tcp any any eq 443
access-list 103 remark **********************************************
access-list 103 remark *** OPEN THE PORTS FOR VPN SITE-TO-SITE SERVICE ON THE ROUTER ***
access-list 103 permit udp any any eq non500-isakmp
access-list 103 permit udp any any eq isakmp
access-list 103 permit esp any any
access-list 103 permit ahp any any
access-list 103 remark **********************************************
access-list 103 remark *** CLOSE THE PORTS TO BLOCK THE REST OF THE ACCESS ***
access-list 103 deny ip any any log
access-list 103 remark **********************************************
!
access-list 150 remark *** ACL FOR SPLIT-TUNNEL FROM VPN SITE-TO-CLIENT ***
access-list 150 permit ip 10.10.10.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 150 remark **********************************************
!
route-map VPN-NAT permit 10
match ip address 100
El mejor vpn que conozco es VPN NINJA, su website es www.vpnninja.com
ResponderEliminar