Date post: | 07-Aug-2018 |
Category: |
Documents |
Upload: | gregory-nick-toledo-veliz |
View: | 217 times |
Download: | 0 times |
of 15
8/20/2019 Capitulo 7_2 (2).pptx
1/36
Chapter 71© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco P!lic
ADSL Example
"here are three #ays to encapslate IP pac$ets over an
A"% and &S' connection(
) *+C 1-/2- ridged) npoplar de to secrity and scala!ility isses.
) PPP over 3thernet 4PPPo35
) PPP over A"% 4PPPoA5
DSLAM
Local Loop
Service Provider Network
ATM
Core Router
DHCPServer
Internetranc!
CPE
8/20/2019 Capitulo 7_2 (2).pptx
2/36
Chapter 72© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco P!lic
Implementation Plan
1. &eploy !road!and connectivity
"# Con$i%ure &tatic routin%
. &ocment and veri6y other services
. Implement and tne the IPsec P8
9. Con6igre :*3 tnnels
Note'
.+or simplicity reasons, the A&S' Internet lin$ implemented
in the previos step #ill !e replaced !y a Serial lin$.
8/20/2019 Capitulo 7_2 (2).pptx
3/36
Chapter 7© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco P!lic
(PN Solution&
"here are !asically t#o
P8 soltions() Site;to;site P8s
) P8 endpoints are devices
sch as roters.
) "he P8 is completely hidden
6rom the sers.
) *emote;access P8s
) A mo!ile ser initiates a P8
connection re
8/20/2019 Capitulo 7_2 (2).pptx
4/36
Chapter 7© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco P!lic
Site)to)Site (PN&
8/20/2019 Capitulo 7_2 (2).pptx
5/36
Chapter 79© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco P!lic
Remote Acce&& (PN&
8/20/2019 Capitulo 7_2 (2).pptx
6/36
Chapter 7© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco P!lic
IP&ec Tec!nolo%ie&
IPsec P8s provide t#o signi6icant !ene6its(
) 3ncryption
) 3ncapslation
IPsec encryption provides three ma=or services(
) Con6identiality
) Integrity
) Athentication
8/20/2019 Capitulo 7_2 (2).pptx
7/36Chapter 7
7© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco P!lic
IP&ec Encap&ulation
IPsec is capa!le o6 tnneling pac$ets sing an additional
encapslation.
3SP>eader
3SP"railer
3SP Athentication
8e# IP>eader
?riginal IP>eader
"CP &ata
Athenticated
3ncrypted
8/20/2019 Capitulo 7_2 (2).pptx
8/36Chapter 7
-© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco P!lic
IP&ec Encap&ulation Example
"he e@ample displays ho# a pac$et is encapslated.
ranc! H*
Internet
+,"#+-.#+#/ 0"1 +/#+/#+/#/ 0"1
S/0/0+2a/0/
.22
.1.12a/0/
"/,#+-3#"//#"1/ 0",
.21
S/0/0+
"/,#+-3#"//#""1 0",
.22
.229
ISP
.10.10
4ri%inal IP Header
Sorce IP( 12.1-.1.10&estination( 10.10.10.10
"CP &ata
4ri%inal IP Header
Sorce IP( 12.1-.1.10&estination( 10.10.10.10
"CP &ata
IP&ec (PN
New IP Header Sorce( 20.19.200.22&estination( 20.19.200.22
3SP>eader
4ri%inal IP Header Sorce IP( 12.1-.1.10&estination( 10.10.10.10
"CP &ata3SP"railer
3SP Athentication
8/20/2019 Capitulo 7_2 (2).pptx
9/36Chapter 7
© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco P!lic
IP&ec Site)to)Site (PN Example
"he ranch roter has !een con6igred to spport an IPsec P8 #hen
connecting to the >B site. "he prpose o6 the IPsec P8 lin$ is to serve as a !ac$p lin$ in case
the private A8 lin$ 6ails.
) "he long;term goal is to decommission the A8 lin$ completely and se only the P8
connection to commnicate !et#een the !ranch o66ice and the head
8/20/2019 Capitulo 7_2 (2).pptx
10/36Chapter 7
10© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco P!lic
Step& to Con$i%urin% an IP&ec (PN
1. Con6igre the initial $ey 4ISAD%P policy5 details.
2. Con6igre the IPsec details.
. Con6igre the crypto AC'.
. Con6igre the P8 tnnel in6ormation.
9. Apply the crypto map.
Internet
ranc! H*
+,"#+-.#+#/ 0"1 +/#+/#+/#/ 0"1
S/0/0+2a/0/
.22
.1 .1
2a/0/
"/,#+-3#"//#""1 0",
.21
S/0/0+
"/,#+-3#"//#"1/ 0",
.229
.22
ISP
Email Server +/#+/#+/#"5.
420.19.200.2-5
NAT Pool
20.19.200.2 –20.19.200.27 /2
ranc! Server +,"#+-.#+#"31
420.19.200.295
NAT Pool
20.19.200.2 –20.19.200.29/2
IP&ec (PN
8/20/2019 Capitulo 7_2 (2).pptx
11/36Chapter 7
11© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco P!lic
IP&ec (PN Component&
ISA6MP Polic7
) Contains athentication, encryption and the hashing methodcommands that are 6irst sed to negotiate and e@change credentials
#ith a P8 peer.
IP&ec Detail&
) Identi6ies an accepta!le com!ination o6 secrity protocols, algorithms,and other settings.
Cr7pto ACL
) Is an e@tended IP AC' that identi6ies the tra66ic to !e protected.
) A permit statement reslts in the tra66ic !eing encrypted, #hile a deny
statement sends tra66ic ot in clear te@t.
) oth P8 peers mst have reciprocating AC's.
8/20/2019 Capitulo 7_2 (2).pptx
12/36Chapter 7
12© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco P!lic
8RE 4verview
"nneling protocol developed !y Cisco.
Can encapslate a #ide variety o6 net#or$ layer protocolpac$ets inside IP tnnels.
) :*3 is commonly implemented #ith IPsec to spport I:Ps.
:*3 is =st an encapslation protocol.
) y de6alt, the tra66ic leaves in clear te@t.
"here6ore , :*3 tnnels do not provide encryption services.
) IPsec mst also !e con6igred to encrypt the roting tra66ic.
Note'
) IPsec #as designed to tnnel IP only 4no mltiprotocol spport5
) ?lder I?S versions do not spport IP mlticast over IPsec
8/20/2019 Capitulo 7_2 (2).pptx
13/36
Chapter 71© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco P!lic
Sendin% I8P Tra$$ic 4ver IP&ec
*oting protocols are encapslated #ith a :*3 header.
"he pac$et encapslated !y :*3 is then encapslated #ithIPsec.
"here6ore, IPsec encrypts the :*3 pac$et #hich contains
the roting pdate.
IPsecCrypto
%ap8RE Tunnel IPsec 3ncrypted "ra66ic*oting Protocol pdates
8/20/2019 Capitulo 7_2 (2).pptx
14/36
Chapter 71© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco P!lic
Tran&port9 Carrier9 Pa&&en%er Protocol&
In or scenario, the payload o6 :*3 pac$ets #ill !e 3I:*P
roting pdates and 'A8;to;'A8 corporate tra66ic.) "he :*3 pac$et #ill then !e encapslated inside an IPsec pac$et.
"here6ore, IPsec is the Etransport protocol,F and :*3 is the
Ecarrier protocolF sed to carry other Epassenger protocols,F
sch as IP !roadcast or IP mlticast, and non;IP protocols
IP&ec48e# IP >eader5
8RE Network Packet4?riginal IP header and &ata5
"ransport
Protocol
Carrier
Protocol
Passenger
Protocol
8/20/2019 Capitulo 7_2 (2).pptx
15/36
Chapter 719© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco P!lic
Plannin% $or Mo:ile
;orkerImplementation&
8/20/2019 Capitulo 7_2 (2).pptx
16/36
Chapter 71© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco P!lic
Connectin% a Mo:ile ;orker
"here are many challenges to connecting an increasingly
mo!ile #or$6orce. %o!ile #or$ers have !ecome po#er sers #ho may not
even need a 6ll;time o66ice !t re
8/20/2019 Capitulo 7_2 (2).pptx
17/36
Chapter 717© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco P!lic
Enterpri&e Mo:ile ;orker Con&ideration&
In addition to the reglar email and Internet spport, mo!ile
#or$ers are increasingly re
8/20/2019 Capitulo 7_2 (2).pptx
18/36
Chapter 71-© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco P!lic
Connectin% Mo:ile ;orker&
8/20/2019 Capitulo 7_2 (2).pptx
19/36
Chapter 71© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco P!lic
Enterpri&e Mo:ile ;orker Con&ideration&
?ther mo!ile #or$er considerations inclde(
) Secrity) Athentication
) IPsec and Secre Soc$ets 'ayer 4SS'5 P8s
) Bality o6 Service 4BoS5(
) %anagement
8/20/2019 Capitulo 7_2 (2).pptx
20/36
Chapter 720© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco P!lic
Enterpri&e Mo:ile ;orker Con&ideration&
Securit7'
) Secrity options sa6egard the corporate net#or$ and closengarded !ac$ doors.
) &eploying 6ire#all, intrsion prevention, and *' 6iltering services
meets most secrity needs.
Aut!entication' ) Athentication de6ines #ho gains access to resorces.
) Identity;!ased net#or$ services sing athentication, athoriGation,
and acconting 4AAA5 servers, -02.1H port;!ased access control,
Cisco secrity, and trst agents are sed.
8/20/2019 Capitulo 7_2 (2).pptx
21/36
Chapter 721© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco P!lic
Enterpri&e Mo:ile ;orker Con&ideration&
IP&ec and Secure Socket& La7er
8/20/2019 Capitulo 7_2 (2).pptx
22/36
Chapter 722© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco P!lic
Connectin% Mo:ile ;orker&
"he choice o6 implementation #ill a66ect the roting soltion.
Remote)Acce&& (PN sers #ill se a porta!le device 4i.e.,
laptop5 to initiate a P8 connection sing either a P8 client
so6t#are or an SS' Internet !ro#ser connection.
S4H4 wit! a DSL Router
is an e@ample o6 a
!siness;ready mo!ile#or$er.
"he roters maintain an
al#ays;on site;to;site IPsec
P8 connection and the
P8 is completely hidden
to the ser.
8/20/2019 Capitulo 7_2 (2).pptx
23/36
Chapter 72© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco P!lic
Component& $or Mo:ile ;orker&
A mo!ile #or$er soltion sally has three ma=or components(
) Components located at the mo!ile #or$ers remote site
) Corporate components located at the central site
) ?ptional IP telephony and other services.
) %ay !e em!edded into the ser laptop via so6t phones and other applications.
8/20/2019 Capitulo 7_2 (2).pptx
24/36
Chapter 72© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco P!lic
u&ine&&)Read7 (PN Component&
Ci&co Ea&7 (PN Server '
) A Cisco I?S roter or Cisco PIH / ASA +ire#all con6igred as the P8headend device in site;to;site or remote;access P8s.
And either(
) Ci&co Ea&7 (PN Remote'
) A Cisco I?S roter or Cisco PIH / ASA +ire#all acting as a remote P8client.
) Ci&co Ea&7 (PN Client
) An application spported on a PC sed to access a Cisco P8 server.
8/20/2019 Capitulo 7_2 (2).pptx
25/36
Chapter 729© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco P!lic
Routin% Tra$$ic to
t!e Mo:ile;orker
8/20/2019 Capitulo 7_2 (2).pptx
26/36
Chapter 72© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco P!lic
Ea&7 (PN Server
"he Cisco 3asy P8 server 6eatre is sally con6igred on
the headend P8 roter 4typically the edge roter5.) It concentrates the !l$ o6 the remote;end con6igration, #hich
EpshesF the policies to the client at the moment o6 connection.
At the remote end, the device sed !y the mo!ile #or$er is
$no#n as the 3asy P8 remote or 3asy P8 client. "he 3asy P8 remote device starts an IPsec P8 tnnel to
connect to the 3asy P8 server across the p!lic net#or$.
8/20/2019 Capitulo 7_2 (2).pptx
27/36
Chapter 727© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco P!lic
(PN Headend Router Implementation Plan
+# Allow IP&ec tra$$ic
2. &e6ine an address pool 6or connecting clients.
. Provide roting services 6or P8 s!nets.
. "ne 8A" 6or P8 tra66ic 6lo#s.
9. eri6y IPsec P8 con6igration
Note'
) +or simplicity reasons, the scenario sed in the 6ollo#ing steps are
loosely connected e@amples
) "here6ore, the net#or$ and IP addressing may vary !et#een steps.
8/20/2019 Capitulo 7_2 (2).pptx
28/36
Chapter 72-© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco P!lic
Remote Acce&& (PN& > SSL (PN
8/20/2019 Capitulo 7_2 (2).pptx
29/36
Chapter 72© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco P!lic
Remote Acce&& (PN& > Ci&co (PN Client
VPN Client | User Authentication for “R1”
R1 R1-vpn-cluster.cisco.com IPSec/UDP
8/20/2019 Capitulo 7_2 (2).pptx
30/36
Chapter 70© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco P!lic
Remote Acce&& (PN& > Ci&co (PN Client
R+
8/20/2019 Capitulo 7_2 (2).pptx
31/36
Chapter 71© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco P!lic
(eri$7 Remote Acce&& (PN& Connectivit7
8/20/2019 Capitulo 7_2 (2).pptx
32/36
Chapter 72© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco P!lic
C!apter ? Summar7
"he chapter 6ocsed on the 6ollo#ing topics(
Planning the !ranch o66ice implementation AnalyGing services in the !ranch o66ice
Planning 6or mo!ile #or$er implementations
*oting tra66ic to the mo!ile #or$er
8/20/2019 Capitulo 7_2 (2).pptx
33/36
Chapter 7© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco P!lic
C!apter ? La: La: ?)+Con$i%ure Routin% 2acilitie& to t!e ranc! 4$$ice
8/20/2019 Capitulo 7_2 (2).pptx
34/36
Chapter 7© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco P!lic
Re&ource&
Cisco I?S So6t#are *eleases 12. %ainline
) http(//###.cisco.com/en/S/prodcts/ps90/tsdJprodctsJspportJ seriesJhome.html
"he Cisco I?S Command *e6erence
) http(//###.cisco.com/en/S/prodcts/ps90/prodJcommandJre6erenc
eJlist.html
http://www.cisco.com/en/US/products/ps6350/tsd_products_support_series_home.htmlhttp://www.cisco.com/en/US/products/ps6350/tsd_products_support_series_home.htmlhttp://www.cisco.com/en/US/products/ps6350/prod_command_reference_list.htmlhttp://www.cisco.com/en/US/products/ps6350/prod_command_reference_list.htmlhttp://www.cisco.com/en/US/products/ps6350/prod_command_reference_list.htmlhttp://www.cisco.com/en/US/products/ps6350/prod_command_reference_list.htmlhttp://www.cisco.com/en/US/products/ps6350/tsd_products_support_series_home.htmlhttp://www.cisco.com/en/US/products/ps6350/tsd_products_support_series_home.html
8/20/2019 Capitulo 7_2 (2).pptx
35/36
Chapter 79© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco P!lic
La: ?)+ Con$i%ure Routin% 2acilitie& to t!e ranc!
4$$ice
C!apter ? La:&
8/20/2019 Capitulo 7_2 (2).pptx
36/36