Lesson 12 Configuring Security Appliance Remote Access Using Cisco Easy VPN © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-1.

Slides:



Advertisements
Similar presentations
What’s New in Fireware XTM v11.3.4
Advertisements

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 4: Configuring Site to Site VPN with Pre-shared keys.
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
Agenda VPN tunnels Configuration of basic core network components Maintenance of Cisco devices Exercises & troubleshooting.
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L4 1 Implementing Secure Converged Wide Area Networks (ISCW)
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod9_L8 1 Implementing Secure Converged Wide Area Networks (ISCW)
70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Twelve Implementing Terminal.
CCNA Guide to Cisco Networking Fundamentals Fourth Edition Chapter 9 Network Services.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Implementing Secure Converged Wide Area Networks (ISCW)
Internet Protocol Security (IPSec)
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 1 Implementing Secure Converged Wide Area Networks (ISCW)
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
1 © 2001, Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Cisco Easy VPN Solutions Applications and Implementation with Cisco IOS.
7400 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved. -1/100- OfficeServ 7400 Enterprise IP Solutions Quick Install.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 Implementing Virtual Private Networks.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 10: Remote Access.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.
Creating an IPsec VPN using IOS command syntax. What is IPSec IPsec, Internet Protocol Security, is a set of protocols defined by the IETF, Internet Engineering.
Network Services Lesson 6. Objectives Skills/ConceptsObjective Domain Description Objective Domain Number Setting up common networking services Understanding.
Course 201 – Administration, Content Inspection and SSL VPN
Worldwide Product Marketing Group United States - Spain - UK - France - Germany - Singapore - Taipei Barricade™ VPN Broadband Routers (4 and 8 port)
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Providing Teleworker Services Accessing the WAN – Chapter 6.
RE © 2003, Cisco Systems, Inc. All rights reserved.
1 © 2002, Cisco Systems, Inc. All rights reserved. SEC-210 Deploying and Managing Enterprise IPsec VPNs Ken Kaminski Cisco Systems Consulting Systems Engineer.
Module 8: Configuring Virtual Private Network Access for Remote Clients and Networks.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod9_L8 1 Network Security 2 Module 6 – Configure Remote Access VPN.
Network Access for Remote Users: Practical IPSec Dr John S. Graham ULCC
Implementing VPN Solutions Laurel Boyer, CCIE 4918 Presented, June 2003.
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0— © 2003, Cisco Systems, Inc. All rights reserved.
Page 1 NAT & VPN Lecture 8 Hassan Shuja 05/02/2006.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
11.59 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
70-411: Administering Windows Server 2012
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
1 Chapter Overview Using the New Connection Wizard to configure network and Internet connections Using the New Connection Wizard to configure outbound.
Implementing Secure Converged Wide Area Networks (ISCW) Module 3.2.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
11.59 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 Module 3 City College of San.
Page 1 TCP/IP Networking and Remote Access Lecture 9 Hassan Shuja 11/23/2004.
Generic Routing Encapsulation GRE  GRE is an OSI Layer 3 tunneling protocol: Encapsulates a wide variety of protocol packet types inside.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Chapter 8: Implementing Virtual Private Networks
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 6 City College.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 ver.2 Module 4 City College.
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 4: Configuring Site to Site VPN with Pre-shared keys.
Implementing Secure Converged Wide Area Networks (ISCW) Module 3.3.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 ver.2 Module 8 City College.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L5 1 Implementing Secure Converged Wide Area Networks (ISCW) Module 3.1.
Virtual Private Network. ATHENA Main Function of VPN  Privacy  Authenticating  Data Integrity  Antireplay.
Chapter 9: Implementing the Cisco Adaptive Security Appliance
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—15-1 Lesson 15 Configuring PIX Firewall Remote Access Using Cisco Easy VPN.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-1 Lesson 16 Easy VPN Remote—Small Office/Home Office.
Virtual Private Network Configuration
Lesson 3a © 2005 Cisco Systems, Inc. All rights reserved. CSPFA v4.0—19-1 System Management and Maintenance.
Lesson 2a © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-1 Firewall Technologies and the Cisco Security Appliance.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 IPsec.
WELCOME LAN TO LAN VPN LAN to LAN VPN also known as Site to Site VPN is the most basic and the most simplest of all the VPN’s used on CISCO devices. It.
Windows Vista Configuration MCTS : Advanced Networking.
© 2001, Cisco Systems, Inc. CSPFA 2.0—16-1 Chapter 16 Cisco PIX Device Manager.
Module 4: Configuring Site to Site VPN with Pre-shared keys
Chapter 10: Advanced Cisco Adaptive Security Appliance
Presentation transcript:

Lesson 12 Configuring Security Appliance Remote Access Using Cisco Easy VPN © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-1

Introduction to Cisco Easy VPN © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-2

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-3 Cisco Easy VPN Cisco IOS > 12.2(8)T Router PIX Firewall/ASA > 6.2 Cisco VPN 3000 > 3.11 (> recommended) Cisco VPN Client > 3.x Cisco 800 Series Router Cisco 900 Series Router Cisco 1700 Series Router Cisco VPN 3002 Hardware Client Cisco PIX Firewall 501 and 506 Easy VPN Servers Easy VPN Remote

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-4 Features of Cisco Easy VPN Server Server support for Cisco Easy VPN Remote Clients was introduced with the release of the Cisco PIX Firewall Software v6.2. It allows remote end users to communicate using IPSec with supported security appliance VPN gateways. Centrally managed IPSec policies are pushed to the clients by the server, minimizing configuration by the end users.

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-5 Supported Easy VPN Servers Cisco IOS > 12.2(8)T router PIX Firewall/ASA > 6.2 Cisco VPN 3000 > 3.11 (> recommended) Cisco 900 Series Router Cisco 1700 Series Router Cisco VPN Client > 3.x Cisco 800 Series Router Cisco VPN 3002 Hardware Client Easy VPN Servers Cisco PIX Firewall 501 and 506

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-6 Supported Easy VPN Remote Clients Cisco VPN Software Client > 3.x Cisco VPN 3002 Hardware Client > 3.x Cisco PIX Firewall 501 and 506 VPN Client > 6.2 Cisco Easy VPN Remote Router Clients –Cisco 800 Series –Cisco 900 Series –Cisco 1700 Series

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-7 Easy VPN Remote Modes of Operation Easy VPN Remote supports two modes of operation: Client mode –Specifies that NAT and PAT be used. –Client automatically configures the NAT and PAT translations and the ACLs that are needed to implement the VPN tunnel. –Supports split tunneling. Network extension mode –Specifies that the hosts at the client end of the VPN connection use fully routable IP addresses. –PAT is not used. –Supports split tunneling.

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-8 Easy VPN Remote Client Mode PIX Firewall 501/506 (Easy VPN Remote) PIX Firewall 525 (Easy VPN Server) /24 VPN Tunnel PAT

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-9 Easy VPN Remote Network Extension Mode Cisco 1710 Router (Easy VPN Remote) 12.2(8)YJ PIX Firewall 525 (Easy VPN Server) VPN Tunnel PIX Firewall 501 (Easy VPN Remote) /24

Overview of Cisco VPN Client © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-10

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-11 Cisco VPN Software Client for Windows

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-12 Cisco VPN Client Features and Benefits Cisco VPN Client provides the following features and benefits: Intelligent peer availability detection SCEP Data compression (LZS) Command-line options for connecting, disconnecting, and connection status Configuration file with option locking Support for Microsoft network login (all platforms) DNS, WINS, and IP address assignment Load balancing and backup server support Centrally controlled policies Integrated personal firewall (stateful firewall): Zone Labs technology (Windows only) Personal firewall enforcement: Zone Alarm, BlackICE (Windows only)

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-13 Cisco VPN Client Specifications Supported tunneling protocols Supported encryption and authentication Supported key management techniques Supported data compression technique Digital certificate support Authentication methodologies Profile management Policy management

How Cisco Easy VPN Works © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-14

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-15 Easy VPN Remote Connection Process Step 1: The VPN Client initiates the IKE Phase 1 process. Step 2: The VPN Client negotiates an IKE SA. Step 3: The Easy VPN Server accepts the SA proposal. Step 4: The Easy VPN Server initiates a username/password challenge. Step 5: The mode configuration process is initiated. Step 6: IKE quick mode completes the connection.

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-16 Step 1: Cisco VPN Client Initiates IKE Phase 1 Process Using pre-shared keys? Initiate AM. Using digital certificates? Initiate MM. Remote PC with Easy VPN Remote Client Security Appliance Easy VPN Server

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-17 Step 2: Cisco VPN Client Negotiates an IKE SA The Cisco VPN Client attempts to establish an SA between peer IP addresses by sending multiple IKE proposals to the Easy VPN Server. To reduce manual configuration on the VPN Client, these IKE proposals include several combinations of the following: –Encryption and hash algorithms –Authentication methods –DH group sizes Remote PC with Easy VPN Remote Client Security Appliance Easy VPN Server Proposal 1, Proposal 2, Proposal 3

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-18 Step 3: Easy VPN Server Accepts SA Proposal The Easy VPN Server searches for a match: –The first proposal to match the server’s list is accepted (highest priority match). –The most secure proposals are always listed at the top of the Easy VPN Server’s proposal list (highest priority). IKE SA is successfully established. Device authentication ends and user authentication begins. Remote PC with Easy VPN Remote Client Proposal 1 Proposal checking finds proposal 1 match. Security Appliance Easy VPN Server

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-19 Step 4: Easy VPN Server Initiates a Username/Password Challenge If the Easy VPN Server is configured for Xauth, the VPN Client waits for a username/password challenge: –The user enters a username/password combination. –The username/password information is checked against authentication entities. All Easy VPN Servers should be configured to enforce user authentication. Remote PC with Easy VPN Remote Client Username/Password AAA checking Username/Password Challenge Security Appliance Easy VPN Server

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-20 Step 5: Mode Configuration Process Is Initiated If the Easy VPN Server indicates successful authentication, the VPN Client requests the remaining configuration parameters from the Easy VPN Server: –Mode configuration starts. –The remaining system parameters (IP address, DNS, split tunneling information, and so on) are downloaded to the VPN Client. Remember that the IP address is the only required parameter in a group profile; all other parameters are optional. Remote PC with Easy VPN Remote Client Client Requests Parameters System Parameters via Mode Configuration Security Appliance Easy VPN Server

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-21 Step 6: IKE Quick Mode Completes Connection After the configuration parameters have been successfully received by the VPN Client, IKE quick mode is initiated to negotiate IPSec SA establishment. After IPSec SA establishment, the VPN connection is complete. Remote PC with Easy VPN Remote Client Quick Mode IPSec SA Establishment VPN Tunnel Security Appliance Easy VPN Server

Configuring Users and Groups © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-22

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-23 Group Policy Engineering Policy Push to Client / /24 Mktg Eng Internet Engineering Marketing Training Marketing Policy Training Policy

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-24 Base Group: Corporate Customer Service /Base/Service MIS /Base/Sales Finance /Base/Finance VP of MIS Groups: Departments Users: Individuals VP of Finance Groups and Users

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-25 group-policy Command To create or edit a group policy, use the group-policy command in global configuration mode. A default group policy, named DfltGrpPolicy, always exists on the security appliance. firewall(config)# group-policy {name internal [from group-policy name]} fw1(config)# group-policy training internal

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-26 group-policy attributes Command Use the group-policy attributes command in global configuration mode to enter the group-policy attributes submode. firewall(config)# group-policy {name} attributes fw1(config)# group-policy training attributes fw1(config-group-policy)#

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-27 Users and User Attributes To add a user to the security appliance database, enter the username command in global configuration mode. firewall(config)# username {name} {nopassword | password password [encrypted]} [privilege priv_level]} fw1(config)# username user1 password fw1(config)# username user1 attributes fw1(config-username)# firewall(config)# username {name} attributes

Configuring the Easy VPN Server for Extended Authentication © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-28

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-29 Easy VPN Server General Configuration Tasks The following general tasks are used to configure an Easy VPN Server on a security appliance: Task 1: Create ISAKMP policy for remote VPN Client access. Task 2: Create IP address pool. Task 3: Define group policy for mode configuration push. Task 4: Create transform set. Task 5: Create dynamic crypto map. Task 6: Assign dynamic crypto map to static crypto map. Task 7: Apply crypto map to security appliance interface. Task 8: Configure Xauth. Task 9: Configure NAT and NAT 0. Task 10: Enable IKE DPD.

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-30 Task 1: Create ISAKMP Policy for Remote VPN Client Access fw1(config)# isakmp enable outside fw1(config)# isakmp policy 20 authentication pre-share fw1(config)# isakmp policy 20 encryption des fw1(config)# isakmp policy 20 hash sha fw1(config)# isakmp policy 20 group 2 Remote Client Server Internet Inside Outside ISAKMP Pre-Share DES SHA Group 2

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-31 Task 2: Create IP Address Pool firewall(config)# ip local pool poolname first-address—last-address [mask mask] fw1(config)# ip local pool MYPOOL Creates an optional local address pool if the remote client is using the remote server as an external DHCP server vpnpool Remote Client Server Internet Inside Outside

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-32 Task 3: Define Group Policy for Mode Configuration Push Task 3 contains the following steps: Step 1: Set the tunnel group type. Step 2: Configure the IKE pre-shared key. Step 3: Specify the local IP address pool. Step 4: Configure the group policy type. Step 5: Enter the group-policy attributes submode. Step 6: Specify the DNS servers. Step 7: Specify the WINS servers. Step 8: Specify the DNS domain. Step 9: Specify idle timeout.

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-33 Step 1: Set the Tunnel Group Type firewall(config)# tunnel-group name type type fw1(config)# tunnel-group training type ipsec-ra VPN Group Pre-Share DNS Server WINS Server DNS Domain Address Pool Idle Time Push to Client Names the tunnel group Defines the type of VPN connection that is to be established Remote Client Server Internet Inside Outside

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-34 Step 2: Configure IKE Pre-Shared Key Push to Client tunnel-group name [general-attributes | ipsec-attributes] firewall(config)# Enters tunnel-group ipsec-attributes submode to configure the key pre-shared-key key firewall(config-ipsec)# Associates a pre-shared key with the connection policy fw1(config)# tunnel-group training ipsec-attributes fw1(config-ipsec)# pre-shared-key cisco123 Remote Client Server Internet Inside Outside

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-35 Step 3: Specify Local IP Address Pool tunnel-group name [general-attributes | ipsec-attributes] firewall(config)# Enters tunnel-group general-attributes submode to configure the address pool address-pool [interface name] address_pool1 [...address_pool6] firewall(config-general)# Associates an address pool with the connection policy fw1(config)# tunnel-group training general-attributes fw1(config-general)# address-pool MYPOOL Push to Client Remote Client Server Internet Inside Outside

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-36 Step 4: Configure the Group Policy Type firewall(config)# group-policy {name internal [from group-policy name]} fw1(config)# group-policy training internal VPN Group Pre-Share DNS Server WINS Server DNS Domain Address Pool Idle Time Push to Client Remote Client Server Internet Inside Outside

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-37 Step 5: Enter the Group-Policy Attributes Subcommand Mode firewall(config)# group-policy {name} attributes fw1(config)# group-policy training attributes fw1(config-group-policy)# VPN Group Pre-Share DNS Server WINS Server DNS Domain Address Pool Idle Time Push to Client Remote Client Server Internet Inside Outside

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-38 Step 6: Specify DNS Servers firewall(config-group-policy)# dns-server {value ip_address [ip_address] | none} fw1(config-group-policy)# dns-server value VPN Group Pre-Share DNS Server WINS Server DNS Domain Address Pool Idle Time Push to Client Remote Client Server Internet Inside Outside

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-39 Step 7: Specify WINS Servers VPN Group Pre-Share DNS Server WINS Server DNS Domain Address Pool Idle Time Push to Client Remote Client Server Internet Inside Outside firewall(config-group-policy)# wins-server value {ip_address} [ip_address] | none fw1(config-group-policy)# wins-server value

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-40 Step 8: Specify DNS Domain VPN Group Pre-Share DNS Server WINS Server DNS Domain Address Pool Idle Time Push to Client Remote Client Server Cisco.com Internet Inside Outside firewall(config-group-policy)# default-domain {value domain-name | none} fw1(config-group-policy)# default-domain value cisco.com

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-41 Step 9: Specify Idle Timeout VPN Group Pre-Share DNS Server WINS Server DNS Domain Address Pool Idle Time Push to Client Remote Client Server Internet Inside Outside firewall(config-group-policy)# vpn-idle-timeout {minutes | none} fw1(config-group-policy)# vpn-idle-timeout 600

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-42 Task 4: Create Transform Set firewall(config)# crypto ipsec transform-set transform-set-name transform1 [transform2]] fw1(config)# crypto ipsec transform-set remoteuser1 esp-des esp-sha-hmac Transform Set DES SHA-HMAC Remote Client Server Internet Inside Outside

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-43 Task 5: Create Dynamic Crypto Map firewall(config)# crypto dynamic-map dynamic-map-name dynamic-seq-num set transform-set transform-set-name1 [… transform-set- name9] fw1(config)# crypto dynamic-map rmt-dyna-map 10 set transform-set remoteuser Remote Client Server Internet Inside Outside

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-44 Task 6: Assign Dynamic Crypto Map to Static Crypto Map firewall(config)# crypto map map-name seq-num ipsec-isakmp dynamic dynamic- map-name fw1(config)# crypto map rmt-user-map 10 ipsec-isakmp dynamic rmt-dyna-map Remote Client Server Internet Inside Outside

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-45 Task 7: Apply Dynamic Crypto Map to Security Appliance Outside Interface fw1(config)# crypto map rmt-user-map interface outside firewall(config)# crypto map map-name interface interface-name Remote Client Server Internet Inside Outside

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-46 Task 8: Configure Xauth Task 8 contains the following steps: Step 1: Enable AAA login authentication. Step 2: Define AAA server IP address and encryption key. Step 3: Enable IKE Xauth for the tunnel group.

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-47 Step 1: Enable AAA Login Authentication firewall(config)# aaa-server server-tag protocol server-protocol fw1(config)# aaa-server mytacacs protocol tacacs+ fw1(config-aaa-server-group)# Remote Client TACACS+ Server Internet Inside Outside

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-48 Step 2: Define AAA Server IP Address and Encryption Key firewall(config)# aaa-server server-tag [(interface-name)] host server-ip [key] [timeout seconds] fw1(config)# aaa-server mytacacs (inside) host cisco123 timeout 5 fw1(config-aaa-server-host)# Remote Client TACACS+ Server Internet Inside Outside

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-49 Step 3: Enable IKE Xauth for Tunnel Group firewall(config-general)# authentication-server-group [(interface name)] server group [LOCAL | NONE] fw1(config)# tunnel-group training general-attributes fw1(config-general)# authentication-server-group mytacacs Xauth Remote Client TACACS+ Server Internet Inside Outside

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-50 Task 9: Configure NAT and NAT 0 Matches ACL: Encrypted data and no translation (NAT 0) Does not match ACL: Clear text and translation (PAT) fw1(config)# access-list 101 permit ip fw1(config)# nat (inside) 0 access-list 101 fw1(config)# nat (inside) fw1(config)# global (outside) 1 interface Encrypted — No Translation Clear Text — Translation Remote Client TACACS+ Server Internet Inside Outside

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-51 Task 10: Enable IKE DPD 1) DPD Send: Are you there? 2) DPD Reply: Yes, I am here. isakmp keepalive [threshold seconds] [retry seconds] [disable] firewall(config-ipsec)# Configures the IKE DPD parameters fw1(config)# tunnel-group training ipsec-attributes fw1(config-ipsec)# isakmp keepalive threshold 30 retry 10 Remote Client TACACS+ Server Internet Inside Outside

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-52 Easy VPN Server Configuration Summary PIX Version 7.0(1) hostname fw1 !--- Configure Phase 1 Internet Security Association !-- and Key Management Protocol (ISAKMP) parameters. isakmp enable outside isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption aes isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime !--- Configure IPSec transform set and dynamic crypto map. crypto ipsec transform-set myset esp-aes esp-md5-hmac crypto dynamic-map rmt-dyna-map 10 set transform-set myset crypto map rmt-user-map 10 ipsec-isakmp dynamic rmt-dyna-map !--- Apply crypto map to the outside interface. crypto map rmt-user-map interface outside

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-53 Easy VPN Server Configuration Summary (Cont.) !--- Configure remote client pool of IP addresses ip local pool ippool !--- Configure group policy parameters. group-policy training internal group-policy training attributes wins-server value dns-server value vpn-idle-timeout 600 default-domain value cisco.com !--- Configure tunnel group policy parameters. tunnel-group training type ipsec-ra tunnel-group training general-attributes address-pool ippool authentication-server-group MYTACACS defaultgroup-policy training tunnel-group training ipsec-attributes pre-shared-key training isakmp keepalive threshold 30 retry 10

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-54 Easy VPN Server Configuration Summary (Cont.) !--- Configure AAA-Server parameters. aaa-server MYTACACS protocol tacacs+ aaa-server MYTACACS host timeout 5 key secretkey !--- Specify "nonat" access list. access-list 101 permit ip !--- Configure Network Address Translation (NAT)/ !--- Port Address Translation (PAT) for regular traffic, !--- as well as NAT for IPSec traffic. nat (inside) 0 access-list 101 nat (inside) global (outside) 1 interface

Configure Security Appliance Hub-and-Spoke VPNs © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-55

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-56 Benefits of Hub-and-Spoke VPNs Internet Telecommuter—Spoke Central site Server—Spoke Remote Site—Spoke Mobile—Spoke Provide support for small sites with small LAN and low-end PIXs because only one IPSec tunnel is needed at the spoke routers. Scale the network through scaling of the network at specific hub point. Only the hub needs to have a static and global IP address. All the spoke PIXs can have DHCP-based dynamic IP address, with the hub configured with dynamic crypto map. Very easy to add sites and security appliances, as no changes to the existing spoke or hub security appliance are required. Hub

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-57 Limitations of Benefits of Hub-and-Spoke VPNs IPSec performance is aggregated at the hub. All spoke-spoke packets are decrypted and reencrypted at the hub. When using hub-and-spoke with dynamic crypto maps, the IPSec encryption tunnel must be initiated by the spoke routers. Internet Telecommuter—Spoke Central site Server—Spoke Remote Site—Spoke Mobile—Spoke Hub

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-58 Configure Hub-and-Spoke VPN VPN spokes can be terminated on a single interface. Traffic from the same security level can also be permitted. same-security-traffic permit [inter-interface | intra- interface] firewall(config)# Permits communication between different interfaces with the same security level or between VPN peers connected to the same interface fw1(config)# same-security-traffic permit intra-interface Internet Telecommuter—Spoke Server—Spoke Remote Site—Spoke Mobile—Spoke Hub

Cisco VPN Client Manual Configuration Tasks © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-59

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-60 Cisco VPN Client Manual Configuration Tasks The following general tasks are used to configure Cisco VPN Client: Task 1: Install Cisco VPN Client. Task 2: Create a new connection entry. Task 3: (Optional) Configure Cisco VPN Client transport properties. Task 4: (Optional) Configure Cisco VPN Client backup servers properties. Task 5: (Optional) Configure Dialup properties.

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-61 Task 1: Install Cisco VPN Client

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-62 Task 2: Create New Connection Entry

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-63 Task 3: (Optional) Configure Cisco VPN Client Transport Properties

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-64 Task 4: (Optional) Configure Cisco VPN Client Backup Servers Properties

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-65 Task 5: (Optional) Configure Dialup Properties

Working with the Cisco VPN Client © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-66

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-67 Cisco VPN Client Program Menu

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-68 Virtual Adapter

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-69 Setting MTU Size

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-70 Cisco VPN Client Statistics Menu

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-71 Summary Cisco Easy VPN features greatly enhance deployment of remote access solutions for Cisco IOS software customers. The Easy VPN Server adds several new commands to Cisco PIX Firewall Security Appliance Software v6.3 and later versions. The Cisco VPN Client enables software-based VPN remote access.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.