Chapter 23
Configuring Management Access
List multiple transform sets in order of priority (highest priority first). You can specify up to six
transform sets.
Step 7
To specify the interface at which you want this tunnel to terminate, enter the following command:
hostname(config)# crypto map crypto_map_name interface interface_name
You can apply only one crypto map name to an interface, so if you want to terminate both a site-to-site
tunnel and VPN clients on the same interface, they need to share the same crypto map name.
This command must be entered after all other crypto map commands. If you change any crypto map
settings, remove this command with the no prefix, then reenter it.
Step 8
To allow Telnet or SSH access, see the
SSH Access" section on page
For example, the following commands allow hosts connected to the peer router (209.165.202.129) to use
Telnet on the outside interface (209.165.200.225).
hostname(config)# isakmp policy 1 authentication pre-share
hostname(config)# isakmp policy 1 encryption 3des
hostname(config)# isakmp policy 1 group 2
hostname(config)# isakmp policy 1 hash sha
hostname(config)# isakmp enable outside
hostname(config)# crypto ipsec transform-set vpn esp-3des esp-sha-hmac
hostname(config)# isakmp key 7mfi02lirotn address 209.165.200.223
hostname(config)# access-list TUNNEL extended permit ip host 209.165.200.225 209.165.201.0
255.255.255.224
hostname(config)# crypto map telnet_tunnel 2 ipsec-isakmp
hostname(config)# crypto map telnet_tunnel 1 match address TUNNEL
hostname(config)# crypto map telnet_tunnel 1 set peer 209.165.202.129
hostname(config)# crypto map telnet_tunnel 1 set transform-set vpn
hostname(config)# crypto map telnet_tunnel interface outside
hostname(config)# telnet 209.165.201.0 255.255.255.224 outside
hostname(config)# telnet timeout 30
Allowing ICMP to and from the FWSM
By default, ICMP (including ping) is not allowed to an FWSM interface (or through the FWSM. To allow
ICMP through the FWSM, see
important tool for testing your network connectivity; however, it can also be used to attack the FWSM
or your network. We recommend allowing ICMP during your initial testing, but then disallowing it
during normal operation.
See the
allowed for the entire system.
To permit or deny address(es) to reach an FWSM interface with ICMP (either from a host to the FWSM,
or from the FWSM to a host, which requires the ICMP reply to be allowed back), enter the following
command:
hostname(config)# icmp {permit | deny} {host ip_address | ip_address mask | any}
[icmp_type] interface_name
If you do not specify an icmp_type, all types are identified. You can enter the number or the name. To
control ping, specify echo-reply (0) (FWSM to host) or echo (8) (host to FWSM). See the
section on page E-15
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
OL-20748-01
23-2.
Chapter 15, "Permitting or Denying Network
"Rule Limits" section on page A-6
for a list of ICMP types.
"Allowing Telnet Access" section on page 23-1
for information about the maximum number of ICMP rules
Allowing ICMP to and from the FWSM
and the
"Allowing
Access."). ICMP is an
"ICMP Types"
23-9