Implementing VPN Solutions Laurel Boyer, CCIE 4918 Presented, June 2003.

Slides:



Advertisements
Similar presentations
Cisco Router as a VPN Server. Agenda VPN Categories of VPN – Secure VPNs – Trusted VPN Hardware / Software Requirement Network Diagram Basic Router Configuration.
Advertisements

© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 4: Configuring Site to Site VPN with Pre-shared keys.
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Prototyping the WAN Designing and Supporting Computer Networks – Chapter 8.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Scaling the Network with NAT and PAT.
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
1 Configuring Virtual Private Networks for Remote Clients and Networks.
Agenda VPN tunnels Configuration of basic core network components Maintenance of Cisco devices Exercises & troubleshooting.
VIRTUAL PRIVATE NETWORKS (VPN). GROUP MEMBERS ERVAND AKOPYAN ORLANDO CANTON JR. JUAN DAVID OROZCO.
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L4 1 Implementing Secure Converged Wide Area Networks (ISCW)
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Implementing Secure Converged Wide Area Networks (ISCW)
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 1 Implementing Secure Converged Wide Area Networks (ISCW)
WiNG 5.3.
Remote Networking Architectures
1 © 2001, Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Cisco Easy VPN Solutions Applications and Implementation with Cisco IOS.
7400 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved. -1/100- OfficeServ 7400 Enterprise IP Solutions Quick Install.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 Implementing Virtual Private Networks.
NetComm Wireless VPN Functionality Feature Spotlight.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.
Creating an IPsec VPN using IOS command syntax. What is IPSec IPsec, Internet Protocol Security, is a set of protocols defined by the IETF, Internet Engineering.
Cisco PIX 515E Firewall. Overview What a PIX Firewall can do Adaptive Security Algorithm Address Translation Cut-Through Proxy Access Control Network.
CISCO PIX FIREWALL Configuration for DCSL Tuan Anh Nguyen CSCI 5234 University of Houston Clear Lake Fall Semester, 2005.
Chapter 8 PIX Firewall. Adaptive Security Algorithm (ASA)  Used by Cisco PIX Firewall  Keeps track of connections originating from the protected inside.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 7: Securing Site-to-Site Connectivity Connecting Networks.
Sybex ICND2/CCNA R/S Chapter 21: Wide Area Networks Instructor & Todd Lammle.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 8 – Implementing Virtual Private Networks.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Providing Teleworker Services Accessing the WAN – Chapter 6.
RE © 2003, Cisco Systems, Inc. All rights reserved.
1 © 2002, Cisco Systems, Inc. All rights reserved. SEC-210 Deploying and Managing Enterprise IPsec VPNs Ken Kaminski Cisco Systems Consulting Systems Engineer.
1 © 1999, Cisco Systems, Inc. The Cisco VPN 3080 Concentrator 0844_04F9_c
Network Access for Remote Users: Practical IPSec Dr John S. Graham ULCC
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Cisco Certified Network Associate CCNA Access the WAN Asst.Prof. It-arun.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0— © 2003, Cisco Systems, Inc. All rights reserved.
Page 1 NAT & VPN Lecture 8 Hassan Shuja 05/02/2006.
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.
Implementing Secure Converged Wide Area Networks (ISCW) Module 3.2.
VIRTUAL PRIVATE NETWORK By: Tammy Be Khoa Kieu Stephen Tran Michael Tse.
© 2006 Cisco Systems, Inc. All rights reserved. Optimizing Converged Cisco Networks (ONT) Module 4: Implement the DiffServ QoS Model.
Virtual Private Networks Warren Toomey. Available WAN Links.
11.59 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,
C3 confidentiality classificationIntegrated M2M Terminals Introduction Vodafone MachineLink 3G v1.0 1 Vodafone MachineLink 3G VPN functionality Feature.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 Module 3 City College of San.
Generic Routing Encapsulation GRE  GRE is an OSI Layer 3 tunneling protocol: Encapsulates a wide variety of protocol packet types inside.
Chapter 8: Implementing Virtual Private Networks
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 ver.2 Module 4 City College.
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 4: Configuring Site to Site VPN with Pre-shared keys.
Implementing Secure Converged Wide Area Networks (ISCW) Module 3.3.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 1 Implementing Secure Converged Wide Area Networks (ISCW) Module 3.1.
Virtual Private Network. ATHENA Main Function of VPN  Privacy  Authenticating  Data Integrity  Antireplay.
Virtual Private Network Chapter 4. Lecturer : Trần Thị Ngọc Hoa2 Objectives  VPN Overview  Tunneling Protocol  Deployment models  Lab Demo.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-1 Lesson 15 Configuring PIX Firewall Remote Access Using Cisco Easy VPN.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—13-1 Lesson 13 Switching and Routing.
Virtual Private Network Configuration
Lesson 12 Configuring Security Appliance Remote Access Using Cisco Easy VPN © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-1.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 IPsec.
Securing Access to Data Using IPsec Josh Jones Cosc352.
WELCOME LAN TO LAN VPN LAN to LAN VPN also known as Site to Site VPN is the most basic and the most simplest of all the VPN’s used on CISCO devices. It.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Implementing IP Addressing Services Accessing the WAN – Chapter 7.
100% Exam Passing Guarantee & Money Back Assurance
Module 4: Configuring Site to Site VPN with Pre-shared keys
Now you don’t need to take any stress about the Cisco Exam
100% Exam Passing Guarantee & Money Back Assurance
Planning and Troubleshooting Routing and Switching
Net 412 (Practical Part) Networks and Communication Department LAB 2.
Routing and Switching Essentials v6.0
Firewalls Routers, Switches, Hubs VPNs
Presentation transcript:

Implementing VPN Solutions Laurel Boyer, CCIE 4918 Presented, June 2003

Agenda  Cost Analysis: Frame vs. VPN  VPN Drawbacks  VPN Equipment Alternatives  Using GRE for Dynamic Routing  Implementation Examples  Troubleshooting  Questions/Discussion

Cost Analysis: Frame vs. VPN  Premise – This discussion assumes that there is a requirement to remotely connect two or more offices/locations. This discussion focuses on a Hub/Spoke architecture.  Frame Relay to DSL Cost examples

VPN Drawbacks  VPN connections traverse the Internet, resulting in vulnerabilities due to latency and interruptions that the network administer cannot influence.  DSL is normally a better choice than Cable Modem, as it does not share the broadcast media  DSL may not be available in all areas, or may not be available at the required speeds.  All DSL/ISP providers are not created equal. –Ensure that provider will give you public IP addresses to manage. –Ask provider where the POP is that connects to your office. –Request ping times from the POP to your Hub/Destination location. –Request peering information between provider and your destination. –Scrutinize customer service policy.

VPN Equipment Alternatives  PIX to PIX  PIX to VPN Concentrator  PIX to Router w/ IOS Firewall/IPSEC  VPN Concentrator to Router w/ IOS Firewall/IPSEC  VPN Concentrator to VPN Concentrator  Router w/ IOS Firewall/IPSEC to Router w/ IOS Firewall/IPSEC

VPN & GRE Example

Generic Steps for setting up VPN 1. Load Basic FW or Router Config 2. Set up IPSEC Tunnel 3. Set up static routes on Routers 4. Set up GRE Tunnel

Configure IPSEC Tunnel: ISAKMP 1. Define Encryption Algorithm: normally DES or 3DES 2. Define a Hashing Algorithm: MD5 or SHA 3. Define Authentication RSA/CA or Pre- shared Key 4. Define SA (Security Association) Lifetime. Default is (1 day)

Configure IPSEC Tunnel: ISAKMP Example: crypto isakmp policy 10 hash md5 authentication pre-share crypto isakmp key vpn2vpn address

Configure IPSEC Tunnel: IPSEC 1. Create extended ACL (Access List) 2. Create IPSEC transform(s) 3. Create Crypto Map 4. Apply Crypto Map to Interface

VPN Router Configuration crypto isakmp policy 10 hash md5 authentication pre-share crypto isakmp key vpn2vpn address ! crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac ! crypto map vpntunnel 10 ipsec-isakmp set peer set transform-set ESP-DES-MD5 match address vpn-tunnel ! interface Ethernet0 ip address ip nat inside !

VPN Router Configuration, Cont. interface Ethernet1 ip address ip nat outside crypto map vpntunnel ! ip nat inside source route-map Internet interface Ethernet1 overload ! ip access-list extended Nat deny ip permit ip any any ip access-list extended vpn-tunnel permit ip route-map Internet permit 10 match ip address Nat

VPN PIX Configuration nameif ethernet0 outside security0 nameif ethernet1 inside security100 access-list vpn-tunnel permit ip interface ethernet0 10baset interface ethernet1 10full ip address outside ip address inside nat (inside) 0 access-list vpn-tunnel nat (inside) route outside

VPN PIX Configuration, Cont. sysopt connection permit-ipsec crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto map vpntunnel 1 ipsec-isakmp crypto map vpntunnel 1 match address vpn-tunnel crypto map vpntunnel 1 set peer crypto map vpntunnel 1 set transform-set ESP-DES-MD5 crypto map vpntunnel interface outside isakmp enable outside isakmp key vpn2vpn address netmask isakmp policy 1 authentication pre-share isakmp policy 1 encryption des isakmp policy 1 hash md5 isakmp policy 1 group 1 isakmp policy 1 lifetime 86400

VPN & GRE  GRE: Generic Routing Encapsulation. Used to encapsulate a wide variety of protocol packet types inside IP tunnels, creating a virtual point-to-point link to remote points over an IP network.  In this instance, we use an IPSEC tunnel to create a secure/encrypted path between to public points. GRE is used to create a virtual Intranet path between two private points.  Because GRE facilitates broadcast and multicast traffic, we can run EIGRP or other dynamic protocols, reducing the need for static routing in larger VPN topologies.

GRE Example interface Loopback10 description Loopback for GRE tunnel ip address ! interface Tunnel10 description GRE tunnel to GRE-RTR ip address tunnel source Loopback10 tunnel destination ! ip access-list extended vpn-tunnel permit ip host host ! ip route

Intro the VPN Concentrator Cisco VPN 3005 Cisco VPN 3015 Cisco VPN 3030 Cisco VPN 3060 Cisco VPN 3080 Simultaneous Users 100 1,5005,00010,000 Maximum LAN-to-LAN Sessions ,000 Encryption Throughput 4 Mbps 50 Mbps100 Mbps Encryption Method Software Hardware Available Expansion Slots Encryption (SEP) Module Redundant SEP Option Yes System Memory 3264 MB (fixed) 128 MB 128/256 MB 256/512 MB Client License Unlimited

TroubleshootingTroubleshooting, Cont.  Check IPSEC Tunnel –Show crypto ipsec sa –Show crypto isakmp sa –Clear crypto sa –Debug crypto ipsec –Debug crypto isakmp  Check for mismatched access-lists (most common problem!)  Check for static routes - you must tell the local router/FW that the private destination is via the public interface

Questions ?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.