Acceso remoto con Cisco Easy VPN (Pre Shared)

dibujo2.jpg

Configuracion Router:

!
hostname Router1
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
aaa new-model
!
!
aaa authentication login VPNAUTHEN local
aaa authorization network VPNAUTHOR local
!
aaa session-id common
!
resource policy
!
memory-size iomem 15
no network-clock-participate slot 1
no network-clock-participate wic 0
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.1.1 10.0.1.12
!
ip dhcp pool POD1_INSIDE
   network 10.0.1.0 255.255.255.0
   default-router 10.0.1.2
!
!
no ip ips deny-action ips-interface
no ip domain lookup
!
no ftp-server write-enable
!
!
!
username sdm privilege 15 password 0 sdm
username vpnstudent password 0 cisco
!
!
!
crypto isakmp policy 3
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp client configuration group SALES
 key cisco123
 domain cisco.com
 pool IPPOOL
!
!
crypto ipsec transform-set MYSET esp-aes 256 esp-sha-hmac
!
crypto dynamic-map DYNMAP 10
 set transform-set MYSET
 reverse-route
!
!
crypto map CLIENTMAP client authentication list VPNAUTHEN
crypto map CLIENTMAP isakmp authorization list VPNAUTHOR
crypto map CLIENTMAP client configuration address respond
crypto map CLIENTMAP 10 ipsec-isakmp dynamic DYNMAP
!
!
!
interface FastEthernet0/0
 description inside
 ip address 10.0.1.2 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description outside
 ip address 172.30.1.2 255.255.255.0
 duplex auto
 speed auto
 crypto map CLIENTMAP
!
router eigrp 1
 network 10.0.0.0
 network 172.30.0.0
 no auto-summary
 no eigrp log-neighbor-changes
!
ip local pool IPPOOL 11.0.1.20 11.0.1.30
ip classless
!
ip http server
ip http authentication local
no ip http secure-server
!
!
!
control-plane
!
!
!
!
line con 0
line aux 0
line vty 0 4
 privilege level 15
 password cisco
 transport input telnet ssh
!
!
end

Pasos:
1- Configuracion de autenticaion con AAA
aaa new-model
aa authentication login VPNAUTHEN local
aaa authorization network VPNAUTHOR local
2-Definimos la directiva para la VPN que va a ser puesta al cliente y el pool de ip que van a utilizar los ususarios remotos cuando se conecten
ip local pool IPPOOL 11.0.1.20 11.0.1.30
crypto isakmp policy 3
hash md5
authentication pre-share
group 2
crypto isakmp client configuration group SALES
key cisco123
domain cisco.com
pool IPPOOL
3-Configuramos y verificamos los Transforms y CryptoMaps
crypto ipsec transform-set MYSET esp-aes 256 esp-sha-hmac
(Creamos el cryptoMap dinamico)
crypto dynamic-map DYNMAP 10
set transform-set MYSET
reverse-route
(Creamos el cryptoMap estatico)
crypto map CLIENTMAP client authentication list VPNAUTHEN
crypto map CLIENTMAP isakmp authorization list VPNAUTHOR
crypto map CLIENTMAP client configuration address respond (Da respuesta a peticiones de clientes)
crypto map CLIENTMAP 10 ipsec-isakmp dynamic DYNMAP (asociamos crypto dinamico)

4-Aplicamos cryptoMap estatico a interfaz
interface FastEthernet0/1
crypto map CLIENTMAP

Y listo en el router.