Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-1 Lesson 16 Easy VPN Remote—Small Office/Home Office.

Published byAmos Hunter Modified over 8 years ago

Similar presentations

Presentation on theme: "© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-1 Lesson 16 Easy VPN Remote—Small Office/Home Office."— Presentation transcript:

1 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-1 Lesson 16 Easy VPN Remote—Small Office/Home Office

2 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-2 Objectives

3 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-3 Objectives Upon completion of this lesson, you will be able to perform the following tasks: Describe the Easy VPN two modes of operation. Configure the PIX Firewall as an Easy VPN Remote client. Explain the PIX Firewall’s Secure Unit Authentication and Individual User Authentication feature. Configure the PIX Firewall for Secure Unit Authentication and Individual User Authentication. Describe the PIX Firewall’s DHCP server feature. Configure the PIX Firewall as a DHCP server. Configure the PIX Firewall’s PPPoE client.

4 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-4 PIX Firewall Easy VPN Remote Feature Overview

5 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-5 Implementing PIX Firewall Easy VPN Remote Cisco IOS > 12.2(8)T router PIX Firewall > 6.2 VPN 3000 > 3.11 (> 3.5.1 recommended) Easy VPN Servers Cisco PIX Firewall 501/506E PIX Easy VPN Remote Push Policy

6 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-6 Easy VPN Remote Configuration

7 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-7 Easy VPN Remote Client Configuration PIX1 10.0.0.0/24 10.1.1.1 pix1(config)# vpngroup training password cisco123 pix1(config)# vpnclient username student1 password training pix1(config)# vpnclient server 192.168.1.2 pixfirewall(config)# vpnclient group_name password preshared_key vpnclient username { xauth_username} password { xauth_password} vpnclient server { ip_primary} [ ip_secondary_n] 192.168.1.2 10.1.1.2 10.1.1.3 Group name and pre-shared key VPN client extended authentication username and password Easy VPN server IP address 209.165.201.5

8 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-8 Easy VPN Client Device Mode PIX Firewall 501/506E (Easy VPN Remote) PIX Firewall 525 (Easy VPN Server) VPN tunnel Hidden address 10.0.0.0/24 10.1.1.2 10.1.1.3 PIX Firewall 501/506 (Easy VPN Remote) PIX Firewall 525 (Easy VPN Server) 10.1.1.2 VPN tunnel 10.1.1.1 10.1.1.3 10.0.0.0/24 Client mode Network extension mode Visible address PAT 209.165.201.5

9 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-9 Easy VPN Client Device Mode Configuration PIX1 10.0.0.0/24 10.1.1.1 pix1(config)# vpnclient mode network-extension-mode pixfirewall(config)# vpnclient mode {client-mode | network-extension-mode} 192.168.1.2 10.1.1.2 10.1.1.3 Sets the easy VPN remote device mode — client of network extension mode. Network extension mode— address visible from central site 209.165.201.5

10 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-10 Enable Easy VPN Remote Device pix1(config)# vpnclient enable pixfirewall(config)# vpnclient enable Enables the Easy VPN Remote device. PIX1 10.0.0.0/24 10.1.1.2 10.1.1.3 VPN tunnel

11 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-11 Secure Unit Authentication PIX1 10.0.0.0/24 PIX2 10.1.1.2 10.1.1.3 pix2(config)# vpngroup training secure-unit-authentication pixfirewall(config)# vpngroup groupname secure-unit-authentication Enables secure-unit-authentication policy at central site. Secure-unit-authentication policy pushed to Easy VPN Client Easy VPN Client must authenticate ACS

12 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-12 Individual User Authentication pix2(config)# vpngroup training user-authentication pixfirewall(config)# vpngroup groupname user-authentication Enables individual user authentication policy at central site. PIX1 10.0.0.0/24 10.1.1.2 10.1.1.3 VPN tunnel Individual authentication policy pushed to Easy VPN Client Remote user must authenticate ACS PIX2 vpngroup groupname user-idle-timeout vpngroup groupname authentication-server server_tag

13 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-13 PPPoE and the PIX Firewall

14 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-14 The PIX Firewall as a PPPoE Client ISP PPPoE access concentrator DSL modem PPPoE client 10.0.0.0/24 PPPoE IPSec

15 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-15 Configure a Virtual Private Dial-Up Networking Group ISP PPPoE access concentrator DSL modem 10.0.0.0/24 pix1(config)# vpdn group PPPOEGROUP request dialout pppoe pix1(config)# vpdn group PPPOEGROUP ppp authentication pap pix1(config)# vpdn group PPPOEGROUP localname MYUSERNAME pixfirewall(config)# vpdn group group_name request dialout pppoe vpdn group group_name ppp authentication PAP | CHAP | MSCHAP vpdn group group_name localname username Defines a VPDN group to be used for PPPoE. Selects an authentication method. Associates the username assigned by your ISP with the VPDN group. PIX1

16 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-16 Create VPDN Username and Password pix1(config)# vpdn username student1 password training ISP PPPoE access concentrator DSL modem 10.0.0.0/24 vpdn username name password pass pixfirewall(config)# Creates a username and password pair for the PPPoE connection. PIX1

17 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-17 Enable PPPoE Client pix1(config)# ip address outside pppoe ISP PPPoE access concentrator DSL modem 10.0.0.0/24 Enables PPPoE client. pixfirewall(config)# ip address if_name pppoe [setroute] PIX1

18 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-18 Monitoring the PPPoE Client show vpdn session [l2tp | pptp | pppoe] [id session_id | packets | state | window] Displays session information. pixfirewall(config)# show vpdn tunnel [l2tp | pptp | pppoe] [id tunnel_id | packets | state | summary | transport] Displays tunnel information. pixfirewall(config)# show vpdn Displays tunnel and session information.

19 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-19 Monitoring the PPPoE Client (Cont.) Displays detailed information about a PPPOE connection. pixfirewall(config)# show ip address if_name pppoe show vpdn pppinterface [id intf_id] pixfirewall(config)# Displays the interface identification value. pixfirewall(config)# show vpdn username [name] Displays local usernames. pixfirewall(config)# show vpdn group [groupname] Displays configured groups.

20 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-20 Debugging the PPPoE Client Enables debugging for the PPPoE client. pixfirewall(config)# debug pppoe event | error | packet

21 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-21 DHCP Server Configuration

22 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-22 DHCP The PIX Firewall’s DHCP server can be used to dynamically assign: An IP address and subnet mask The IP address of a DNS server The IP address of a WINS server A domain name The IP address of a TFTP server A lease length

23 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-23 DHCP Server DHCP pool 10.1.1.2–10.1.1.20 1.DHCPDISCOVER—The client seeks an address. 2.DHCPOFFER—The server offers 10.1.1.2. 3.DHCPREQUEST—The client requests 10.1.1.2. 4.DHCPACK—The server acknowledges the assignment of 10.1.1.2. 3 12 4 Internet

24 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-24 Configuring the PIX Firewall as a DHCP Server Step 1—Assign a static IP address to the inside interface. Step 2—Specify a range of addresses for the DHCP server to distribute. Step 3—(Optional.) Specify the IP address of the DNS server. Step 4—(Optional.) Specify the IP address of the WINS server. Step 5—(Optional.) Configure the domain name. Step 6—(Optional.) Specify the IP address of the TFTP server. Step 7—Specify the lease length (default = 3,600 seconds). Step 8—Enable DHCP.

25 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-25 Configure DHCP Address Pool pix1(config)# dhcpd address 10.1.1.2–10.1.1.15 inside 10.0.0.0/24 10.1.1.2 10.1.1.3 ACS Specifies a range of addresses for DHCP to assign. pixfirewall(config)# dhcpd address ip1[-ip2][if_name] DHCP address pool: 10.1.1.2-10.1.1.15 DHCP server

26 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-26 Specify WINS, DNS, and Domain Name pix1(config)# dhcpd wins 10.0.0.21 pix1(config)# dhcpd dns 10.0.0.14 pix1(config)# dhcpd domain cisco.com pixfirewall(config)# dhcpd wins wins1 [wins2] dhcpd dns dns1 [dns2] dhcpd domain domain_name Defines a VPDN group to be used for PPPoE. Selects an authentication method. Associates the username assigned by your ISP with the VPDN group. DHCP Server 10.0.0.0/24 10.0.0.2 10.0.0.3 WINS WINS: 10.0.0.21 DNS: 10.0.0.14 Domain: cisco.com DNS

27 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-27 DHCP Option 66 and 150 pix1(config)# dhcpd option 150 ip 10.0.0.11 pix1(config)# dhcpd option 66 ip 10.0.0.11 pixfirewall(config)# dhcpd option 150 ip server_ip1 [server_ip2 ] dhcpd option 66 ascii {server_name | server_ip_str} Distributes list of TFTP servers for IP Phone connections. Distributes TFTP server for IP Phone connections. DHCP server 10.0.0.0/24 10.1.1.2 Option 150: 10.0.0.11 Option 66: 10.0.0.11 TFTP server 10.0.0.11

28 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-28 Setting DHCP Lease Length pix1(config)# dhcpd lease 3000 10.0.0.0/24 10.1.1.2 10.1.1.3 ACS Specifies DHCP lease length. pixfirewall(config)# dhcpd lease lease_length DHCP server Lease length

29 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-29 Enable DHCP pix1(config)# dhcpd enable inside 10.0.0.0/24 10.1.1.2 10.1.1.3 ACS Enables DHCP server. pixfirewall(config)# dhcpd enable [if_name] DHCP server

30 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-30 DHCP Server Auto Configuration Enables the PIX Firewall to automatically configure DNS, WINS, and domain name values from the DHCP client to the DHCP server. pix1(config)# ip address outside dhcp pix1(config)# dhcpd address 10.1.1.2-10.1.1.20 inside pix1(config)# dhcpd auto_config pix1(config)# dhcpd enable inside pixfirewall(config)# dhcpd auto_config[client_ifx_name] DHCP server DHCP client WINS: 10.0.0.21 DNS: 10.0.0.15 Domain: cisco.com IP Address: 10.1.1.2 WINS: 10.0.0.21 DNS: 10.0.0.15 Domain: cisco.com

31 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-31 debug dhcpd and clear dhcpd Commands Displays information associated with the DHCP server. Removes all dhcpd command statements from the configuration. pixfirewall(config)# debug dhcpd event | packet pixfirewall(config)# clear dhcpd

32 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-32 Summary

33 © 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-33 Summary Easy VPN Remote can operate in client or network extension mode. With Secure Unit Authentication, the remote PIX Firewall must authenticate before the VPN tunnel comes up. With Individual User Authentication, the remote user must authenticate before the user gains access to the VPN tunnel. The PIX Firewall can function as a DHCP client and DHCP server. Configuring the PIX Firewall as a PPPoE client enables it to secure broadband Internet connections such as DSL.

Download ppt "© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-1 Lesson 16 Easy VPN Remote—Small Office/Home Office."

Similar presentations

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.
1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.

1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.
DHCP Dynamic Host Configuration Part 7 NVCC Professional Development TCP/IP.

DHCP Dynamic Host Configuration Part 7 NVCC Professional Development TCP/IP.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 10: DHCP Routing & Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 10: DHCP Routing & Switching.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 10: DHCP Routing and Switching Essentials.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 10: DHCP Routing and Switching Essentials.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
1 Configuring Virtual Private Networks for Remote Clients and Networks.

1 Configuring Virtual Private Networks for Remote Clients and Networks.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 11: Planning Network Access.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 11: Planning Network Access.
Hardware Firewalls: Advanced Feature © N. Ganesan, Ph.D.

Hardware Firewalls: Advanced Feature © N. Ganesan, Ph.D.
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.

Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 2: Teleworker Connectivity.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 2: Teleworker Connectivity.
70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Twelve Implementing Terminal.

70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Twelve Implementing Terminal.
Chapter 8: Configuring Network Connectivity. Installing Network Adapters Network adapter cards connect a computer to a network. Installation –Plug and.

Chapter 8: Configuring Network Connectivity. Installing Network Adapters Network adapter cards connect a computer to a network. Installation –Plug and.
DHCP (Dynamic Host Configuration Protocol) RD-CSY2001-2008/09.

DHCP (Dynamic Host Configuration Protocol) RD-CSY /09.
Remote Networking Architectures

Remote Networking Architectures
1 © 2001, Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Cisco Easy VPN Solutions Applications and Implementation with Cisco IOS.

1 © 2001, Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Cisco Easy VPN Solutions Applications and Implementation with Cisco IOS.
Virtual Private Network (VPN) © N. Ganesan, Ph.D..

Virtual Private Network (VPN) © N. Ganesan, Ph.D..
Module 11: Supporting Remote Users. Overview Establishing Remote Access Connections Connecting to Virtual Private Networks Configuring Authentication.

Module 11: Supporting Remote Users. Overview Establishing Remote Access Connections Connecting to Virtual Private Networks Configuring Authentication.
© 2007 Cisco Systems, Inc. All rights reserved.ICND1 v1.0—4-1 LAN Connections Using a Cisco Router as a DHCP Server.

© 2007 Cisco Systems, Inc. All rights reserved.ICND1 v1.0—4-1 LAN Connections Using a Cisco Router as a DHCP Server.

Similar presentations

Ads by Google