Codice: Seleziona tutto
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.111.1 255.255.255.0
access-list NAT0-INSIDE remark *** NAT0 PER VPN L2L ***
access-list NAT0-INSIDE extended permit ip 192.168.111.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list NAT0-INSIDE extended permit ip 192.168.111.0 255.255.255.0 192.168.111.220 255.255.255.254
access-list CRYPTO-ACL-RM remark *** CRYPTO ACL PER VPN L2L CON --- ***
access-list CRYPTO-ACL-RM extended permit ip 192.168.111.0 255.255.255.0 192.168.21.0 255.255.255.0
access-list CRYPTO-ACL-VM remark *** CRYPTO ACL PER VPN L2L CON --- ***
access-list CRYPTO-ACL-VM extended permit ip 192.168.111.0 255.255.255.0 192.168.23.0 255.255.255.0
access-list remote-admins_splitTunnel remark *** SPLIT TUNNEL PER VPN CLIENT ***
access-list remote-admins_splitTunnel standard permit 192.168.111.0 255.255.255.0
ip local pool remote-admins-pool 192.168.111.220-192.168.111.221 mask 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list NAT0-INSIDE
nat (inside) 1 192.168.111.0 255.255.255.0
group-policy remote-admins internal
group-policy remote-admins attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value remote-admins_splitTunnel
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map outside_map 20 match address CRYPTO-ACL-RM
crypto map outside_map 20 set peer ---
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 30 match address CRYPTO-ACL-VM
crypto map outside_map 30 set peer ---
crypto map outside_map 30 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
crypto isakmp disconnect-notify
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 10 retry 2
tunnel-group IP_ADDRESS type ipsec-l2l
tunnel-group IP_ADDRESS ipsec-attributes
pre-shared-key *
tunnel-group IP_ADDRESS type ipsec-l2l
tunnel-group IP_ADDRESS ipsec-attributes
pre-shared-key *
tunnel-group remote-admins type ipsec-ra
tunnel-group remote-admins general-attributes
address-pool remote-admins-pool
default-group-policy remote-admins
tunnel-group remote-admins ipsec-attributes
pre-shared-key *