The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!--- The username and password is used during local authentication.
username rtpuser password 0 rtpuserpass
!--- Enable AAA.
!--- Define server-group and servers for TACACS+.
aaa group server tacacs+ RTP
!--- In order to set authentication, authorization, and accounting (AAA) authentication at login, use the aaa authentication login command in global configuration mode
aaa authentication login default group RTP local
aaa authentication login userauth local
aaa authorization exec default group RTP none
aaa authorization network groupauth local
aaa authorization auth-proxy default group RTP
enable secret 5 $1$CQHC$R/07uQ44E2JgVuCsOUWdG1
enable password ww
!--- Define auth-proxy banner, timeout, and rules.
ip auth-proxy auth-proxy-banner http ^C
Please Enter Your Username and Password:
ip auth-proxy auth-cache-time 10
ip auth-proxy name list_a http
ip audit notify log
ip audit po max-events 100
cns event-service server
!--- Define ISAKMP policy.
crypto isakmp policy 10
!--- These commands define the group policy that !--- is enforced for the users in the group RTPUSERS. !--- This group name and the key should match what !--- is configured on the VPN Client. The users from this !--- group are assigned IP addresses from the pool RTP-POOL.
crypto isakmp client configuration group RTPUSERS
!--- Define IPSec transform set and apply it to the dynamic crypto map.
crypto ipsec transform-set RTP-TRANSFORM esp-des esp-md5-hmac
crypto dynamic-map RTP-DYNAMIC 10
set transform-set RTP-TRANSFORM
!--- Define extended authentication (X-Auth) using the local database. !--- This is to authenticate the users before they can !--- use the IPSec tunnel to access the resources.
crypto map RTPCLIENT client authentication list userauth
!--- Define authorization using the local database. !--- This is required to push the 'mode configurations' to the VPN Client.
crypto map RTPCLIENT isakmp authorization list groupauth
crypto map RTPCLIENT client configuration address initiate
crypto map RTPCLIENT client configuration address respond
crypto map RTPCLIENT 10 ipsec-isakmp dynamic RTP-DYNAMIC
ip address 10.31.1.111 255.255.255.0
ip access-group 118 in
no ip directed-broadcast
!--- Apply the authentication-proxy rule to the interface.
ip auth-proxy list_a
no ip route-cache
no ip mroute-cache
!--- Apply the crypto-map to the interface.
crypto map RTPCLIENT
ip address 10.14.14.14 255.255.255.0
no ip directed-broadcast
!--- Define the range of addresses in the pool. !--- VPN Clients will have thier 'internal addresses' assigned !--- from this pool.
ip local pool RTP-POOL 10.20.20.25 10.20.20.50
ip route 0.0.0.0 0.0.0.0 10.14.14.15
ip route 10.1.1.0 255.255.255.0 10.31.1.1
!--- Turn on the HTTP server and authentication. !--- This is required for http auth-proxy to work.
ip http server
ip http authentication aaa
!--- The access-list 118 permits ISAKMP and IPSec packets !--- to enable the Cisco VPN Client to establish the IPSec tunnel. !--- The last line of the access-list 118 permits communication !--- between the TACACS+ server and the 3640 router to enable !--- authentication and authorization. All other traffic is denied.
access-list 118 permit esp 10.1.1.0 0.0.0.255 host 10.31.1.111
access-list 118 permit udp 10.1.1.0 0.0.0.255 host 10.31.1.111 eq isakmp
access-list 118 permit tcp host 10.14.14.3 host 10.31.1.111
!--- Define the IP address and the key for the TACACS+ server.
tacacs-server host 10.14.14.3 key cisco
line con 0
transport input none
line aux 0
line vty 0 4