© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-1 111 © 2003, Cisco Systems, Inc. All rights reserved.

Slides:



Advertisements
Similar presentations
Cisco Router as a VPN Server. Agenda VPN Categories of VPN – Secure VPNs – Trusted VPN Hardware / Software Requirement Network Diagram Basic Router Configuration.
Advertisements

© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 4: Configuring Site to Site VPN with Pre-shared keys.
Internet Protocol Security (IP Sec)
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0— © 2003, Cisco Systems, Inc. All rights reserved.
Building IPSEC VPNS Using Cisco Routers
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.
IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.
Agenda VPN tunnels Configuration of basic core network components Maintenance of Cisco devices Exercises & troubleshooting.
Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.
CCNA 5.0 Planning Guide Chapter 7: Securing Site-to-Site Connectivity
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Implementing Secure Converged Wide Area Networks (ISCW)
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 1 Implementing Secure Converged Wide Area Networks (ISCW)
Chapter 7: Securing Site-to-Site Connectivity
7400 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved. -1/100- OfficeServ 7400 Enterprise IP Solutions Quick Install.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 Implementing Virtual Private Networks.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 Implementing Virtual Private Networks.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.
Creating an IPsec VPN using IOS command syntax. What is IPSec IPsec, Internet Protocol Security, is a set of protocols defined by the IETF, Internet Engineering.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 7: Securing Site-to-Site Connectivity Connecting Networks.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 8 – Implementing Virtual Private Networks.
What Is Needed to Build a VPN? An existing network with servers and workstations Connection to the Internet VPN gateways (i.e., routers, PIX, ASA, VPN.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 9: Securing Network Traffic Using IPSec.
RE © 2003, Cisco Systems, Inc. All rights reserved.
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 3: VPN and Encryption Technology.
Implementing VPN Solutions Laurel Boyer, CCIE 4918 Presented, June 2003.
Page 1 NAT & VPN Lecture 8 Hassan Shuja 05/02/2006.
Chapter 8: Implementing Virtual Private Networks
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.
Implementing Secure Converged Wide Area Networks (ISCW) Module 3.2.
406 NW’98 1 © 1998, Cisco Systems, Inc. IPSec Loss of Privacy Security Threats Impersonation Loss of Integrity Denial of Service m-y-p-a-s-s-w-o-r-d.
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
© 2006 Cisco Systems, Inc. All rights reserved. Optimizing Converged Cisco Networks (ONT) Module 4: Implement the DiffServ QoS Model.
Information management 1 Groep T Leuven – Information department 1/26 IPSec IP Security (IPSec)
IT:Network:Apps.  RRAS does nice job of routing ◦ NAT is nice ◦ BASIC firewall ok but somewhat weak  Communication on network (WS to SRV) is in clear.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 Module 3 City College of San.
Generic Routing Encapsulation GRE  GRE is an OSI Layer 3 tunneling protocol: Encapsulates a wide variety of protocol packet types inside.
IPsec IPsec (IP security) Security for transmission over IP networks –The Internet –Internal corporate IP networks –IP packets sent over public switched.
Chapter 8: Implementing Virtual Private Networks
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 ver.2 Module 4 City College.
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 4: Configuring Site to Site VPN with Pre-shared keys.
18 July 2004Bill Nickless / IPSec1 IPSec Internet Protocol Security And You.
Hands-On Microsoft Windows Server 2003 Networking Chapter 9 IP Security.
1 © 2009 Cisco Learning Institute. CCNA Security Chapter Eight Implementing Virtual Private Networks.
Implementing Secure Converged Wide Area Networks (ISCW) Module 3.3.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 1 Implementing Secure Converged Wide Area Networks (ISCW) Module 3.1.
Virtual Private Network. ATHENA Main Function of VPN  Privacy  Authenticating  Data Integrity  Antireplay.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 10: Planning and Managing IP Security.
IPSec and TLS Lesson Introduction ●IPSec and the Internet key exchange protocol ●Transport layer security protocol.
Virtual Private Network Chapter 4. Lecturer : Trần Thị Ngọc Hoa2 Objectives  VPN Overview  Tunneling Protocol  Deployment models  Lab Demo.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—7-1 Lesson 7 Access Control Lists and Content Filtering.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—6-1 Lesson 6 Translations and Connections.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-1 Lesson 15 Configuring PIX Firewall Remote Access Using Cisco Easy VPN.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-1 Lesson 16 Easy VPN Remote—Small Office/Home Office.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—13-1 Lesson 13 Switching and Routing.
Virtual Private Network Configuration
Lesson 12 Configuring Security Appliance Remote Access Using Cisco Easy VPN © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-1.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 IPsec.
IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.
K. Salah1 Security Protocols in the Internet IPSec.
Securing Access to Data Using IPsec Josh Jones Cosc352.
Security Data Transmission and Authentication Lesson 9.
WELCOME LAN TO LAN VPN LAN to LAN VPN also known as Site to Site VPN is the most basic and the most simplest of all the VPN’s used on CISCO devices. It.
© 2001, Cisco Systems, Inc. CSPFA 2.0—16-1 Chapter 16 Cisco PIX Device Manager.
© 2001, Cisco Systems, Inc. CSPFA 2.0—5-1 Chapter 5 Cisco PIX Firewall Translations.
Module 4: Configuring Site to Site VPN with Pre-shared keys
VPNs and IPSec Review VPN concepts Encryption IPSec Lab.
VPNs and IPSec Review VPN concepts Encryption IPSec Lab.
Presentation transcript:

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0— © 2003, Cisco Systems, Inc. All rights reserved.

FNS 1.0—14-2 Module 14 PIX VPN

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-3 Learning Objectives Upon completion of this module, you will be able to perform the following tasks: Identify how the PIX Firewall enables a secure VPN. Identify the tasks to configure PIX Firewall IPSec support. Identify the commands to configure PIX Firewall IPSec support. Configure a VPN between PIX Firewalls. Describe the Cisco VPN Client.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-4 Overview This module will cover the creation and configuration of secure VPNs. VPNs are a very useful tool in securing traffic between two remote networks. Both site-to-site and remote access VPNs will be covered.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-5 Key Terms IPSec IKE DES, 3DES, AES SHA-1, MD5 RSA Digital Certificates Pre-shared keys Diffie-Hellman

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-6 The PIX Firewall Enables a Secure VPN

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-7 PIX Firewall VPN Topologies

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-8 IPSec Enables PIX Firewall VPN Features Data confidentiality Data integrity Data authentication Anti-replay

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-9 What Is IPSec? IETF standard that enables encrypted communication between peers Consists of open standards for securing private communications. Network layer encryption ensuring data confidentiality, integrity, and authentication. Scales from small to very large networks. Included in PIX Firewall version 5.0 and later.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-10 IPSec Standards Supported by the PIX Firewall IPSec (IP Security protocol) –Authentication Header (AH) –Encapsulating Security Payload (ESP) Internet Key Exchange (IKE) Data Encryption Standard (DES) Triple DES (3DES) Diffie-Hellman (DH) Message Digest 5 (MD5) Secure Hash Algorithm (SHA) Ravist, Shamir, Adelman signatures (RSA) Certificate Authorities (CA)

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-11 IPSec Configuration Tasks

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-12 Task 1—Prepare to Configure VPN Support

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-13 IPSec Configuration Tasks Overview Task 1—Prepare to configure VPN support. Task 2—Configure IKE parameters. Task 3—Configure IPSec parameters. Task 4—Test and verify VPN configuration.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-14 Task 1—Prepare to Configure VPN Support Step 1—Determine the IKE (IKE phase one) policy. Step 2—Determine the IPSec (IKE phase two) policy. Step 3—Ensure that the network works without encryption. Step 4—Implicitly permit IPSec packets to bypass PIX Firewall access lists, access groups, and conduits.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-15 Plan for IKE

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-16 IKE Phase One Policy Parameters

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-17 Determine IKE Phase One Policy IKE SA lifetime Authentication method Encryption algorithm Hash algorithm Site 1 86,400 seconds DES SHA Site 2 DES SHA Pre-share Parameter 768-bit D-HKey exchange Pre-share 768-bit D-H 86,400 seconds

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-18 Plan for IPSec

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-19 Determine IPSec (IKE Phase Two) Policy

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-20 Ensure the Network Works pixfirewall# ping

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-21 Ensure ACLs do not Block IPSec Traffic

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-22 Task 2—Configure IKE Parameters

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-23 Step 1—Enable or Disable IKE Enables or disables IKE on the PIX Firewall interfaces. IKE is enabled by default. Disable IKE on interfaces not used for IPSec. isakmp enable interface-name pixfirewall (config)# pixfirewall(config)# isakmp enable outside

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-24 Step 2—Configure an IKE Phase One Policy Creates a policy suite grouped by priority number. Creates policy suites that match peers. Can use default values. pixfirewall(config)# isakmp policy 10 encryption des pixfirewall(config)# isakmp policy 10 hash sha pixfirewall(config)# isakmp policy 10 authentication pre-share pixfirewall(config)# isakmp policy 10 group 1 pixfirewall(config)# isakmp policy 10 lifetime 86400

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-25 isakmp key keystring address peer-address [netmask] pixfirewall(config)# Step 3—Configure the IKE Pre-shared Key Pre-shared keystring must be identical at both peers. Use any combination of alphanumeric characters up to 128 bytes for keystring. Specify peer-address as a host or wildcard address. Easy to configure, yet is not scalable. pixfirewall(config)# isakmp key cisco123 address

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-26 pixfirewall# show isakmp policy Protection suite of priority 10 encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Pre-Shared Key Diffie-Hellman group: #1 (768 bit) lifetime: seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: seconds, no volume limit Step 4—Verify IKE Phase One Policies Displays configured and default IKE protection suites.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-27 Task 3—Configure IPSec Parameters

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-28 access-list acl_ID {deny | permit} protocol source_addr source_mask destination_addr destination_mask pixfirewall(config)# Step 1—Configure Interesting Traffic permit = encrypt deny = do not encrypt access-list selects IP traffic by address, network, or subnet pixfirewall# access-list 101 permit ip host host

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-29 pix1(config)# show static static (inside,outside) netmask pix1(config)# show access-list access-list 110 permit ip host host PIX1 pix6(config)# show static static (inside,outside) netmask pix2(config)# show access-list access-list 101 permit ip host host PIX6 Example Crypto ACLs Lists should always be symmetrical.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-30 crypto ipsec transform-set transform-set-name transform1 [transform2 [transform3]] pixfirewall(config)# Step 2—Configure an IPSec Transform Set Sets are limited to up to one AH and up to two ESP transforms. Default mode is tunnel. Configure matching sets between IPSec peers. pix1(config)# crypto ipsec transform-set pix6 esp-des

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-31 Available IPSec Transforms ah-md5-hmac AH-HMAC-MD5 transform ah-sha-hmac AH-HMAC-SHA transform esp-des ESP transform using DES cipher (56 bits) esp-3des ESP transform using 3DES cipher(168 bits) esp-md5-hmac ESP transform using HMAC-MD5 auth esp-sha-hmac ESP transform using HMAC-SHA auth

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-32 Step 3—Configure the Crypto Map Specifies IPSec (IKE phase two) parameters. Map names and sequence numbers group entries into a policy. pixfirewall(config)# crypto map MYMAP 10 ipsec-isakmp pixfirewall(config)# crypto map MYMAP 10 match address 101 pixfirewall(config)# crypto map MYMAP 10 set peer pixfirewall(config)# crypto map MYMAP 10 set transform-set pix6 pixfirewall(config)# crypto map MYMAP 10 set pfs group1 pixfirewall(config)# crypto map MYMAP 10 set security- association lifetime seconds 28800

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-33 crypto map map-name interface interface-name pixfirewall(config)# Step 4—Apply the Crypto Map to an Interface Applies the crypto map to an interface. Activates IPSec policy. pixfirewall(config)# crypto map MYMAP interface outside

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-34 pix1(config)# show crypto map Crypto Map "peer2" 10 ipsec-isakmp Peer = access-list 101 permit ip host host (hitcnt=0) Current peer: Security association lifetime: kilobytes/28800 seconds PFS (Y/N): N Transform sets={ pix2, } Example Crypto Map for PIX1

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-35 pix2(config)# show crypto map Crypto Map "peer1" 10 ipsec-isakmp Peer = access-list 101 permit ip host host (hitcnt=0) Current peer: Security association lifetime: kilobytes/28800 seconds PFS (Y/N): N Transform sets={ pix1, } Example Crypto Map for PIX2

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-36 Task 4—Test and Verify VPN Configuration

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-37 Task 4—Test and Verify VPN Configuration Verify ACLs and interesting traffic. show access-list Verify correct IKE configuration. show isakmp show isakmp policy Verify correct IPSec configuration. show crypto ipsec transform-set

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-38 Task 4—Test and Verify VPN Configuration (cont.) Verify the correct crypto map configuration. show crypto map Clear the IPSec SA. clear crypto ipsec sa Clear the IKE SA. clear crypto isakmp sa Debug IKE and IPSec traffic through the PIX Firewall. debug crypto ipsec debug crypto isakmp

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-39 The Cisco VPN Client

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-40 Topology Overview

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-41 Cisco VPN Client Features Support for Windows ME, Windows 2000, and Windows XP Data compression Split tunneling User authentication by way of VPN central-site device Automatic VPN Client configuration Internal MTU adjustment CLI to the VPN Dialer Start Before Logon Software update notifications from the VPN device upon connection

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-42 PIX Firewall to VPN Client Pre-Shared Example pixfirewall# write terminal access-list 80 permit ip ip address outside ip address inside ip local pool MYPOOL nat (inside) 0 access-list 80 route outside aaa-server MYTACACS protocol tacacs+ aaa-server MYTACACS (inside) host tacacskey timeout 5 aaa authentication include any inbound MYTACACS sysopt connection permit-ipsec crypto ipsec transform-set AAADES esp-des esp-md5-hmac crypto dynamic-map DYNOMAP 10 set transform-set AAADES

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-43 PIX Firewall to VPN Client Pre-Shared Example (cont.) pixfirewall# write terminal crypto map VPNPEER 20 ipsec-isakmp dynamic DYNOMAP crypto map VPNPEER client authentication MYTACACS crypto map VPNPEER interface outside isakmp enable outside isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime vpngroup TRAINING address-pool MYPOOL vpngroup TRAINING idle-time 1800 vpngroup TRAINING password ********

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-44 VPN Client to PIX Firewall Example A new connection entry named vpnpeer0 is created. The remote server IP is the PIX Firewall outside interface. vpnpeer0

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-45 VPN Client to PIX Firewall Example (cont.) The group name matches the vpngroup name in the PIX Firewall. The password is the pre-shared key and must match the vpngroup password. You can use the digital certificate for authentication. TRAINING

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-46 PIX Firewall Assigns the IP Address to the VPN Client

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-47 Scale PIX Firewall VPNs

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-48 CA Server Fulfilling Requests from IPSec Peers Each IPSec peer individually enrolls with the CA server.

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-49 Enroll a PIX Firewall with a CA Configure CA support Generate public or private keys Authenticate the CA Request signed certificates from the CA CA administrator verifies request and sends signed certificates

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-50 Summary

© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—14-51 Summary The PIX Firewall enables a secure VPN. IPSec configuration tasks include configuring IKE and IPSec parameters. CAs enable scaling to a large number of IPSec peers. Remote users can establish secure VPN tunnels between PCs running Cisco VPN Client software and any Cisco VPN-enabled product, such as the PIX Firewall, that supports the Unified Client framework.

52 © 2003, Cisco Systems, Inc. All rights reserved.