8/20/2019 Capitulo 7_2 (2).pptx

1/36

Chapter 71© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco P!lic

ADSL Example

"here are three #ays to encapslate IP pac$ets over an

 A"% and &S' connection(

) *+C 1-/2- ridged) npoplar de to secrity and scala!ility isses.

) PPP over 3thernet 4PPPo35

) PPP over A"% 4PPPoA5

DSLAM

Local Loop

Service Provider Network

ATM

Core Router 

DHCPServer 

Internetranc!

CPE

8/20/2019 Capitulo 7_2 (2).pptx

2/36

Chapter 72© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco P!lic

Implementation Plan

1. &eploy !road!and connectivity

"# Con$i%ure &tatic routin%

. &ocment and veri6y other services

. Implement and tne the IPsec P8

9. Con6igre :*3 tnnels

Note'

.+or simplicity reasons, the A&S' Internet lin$ implemented

in the previos step #ill !e replaced !y a Serial lin$.

8/20/2019 Capitulo 7_2 (2).pptx

3/36

Chapter 7© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco P!lic

(PN Solution&

"here are !asically t#o

P8 soltions() Site;to;site P8s

) P8 endpoints are devices

sch as roters.

) "he P8 is completely hidden

6rom the sers.

) *emote;access P8s

)  A mo!ile ser initiates a P8

connection re

8/20/2019 Capitulo 7_2 (2).pptx

4/36

Chapter 7© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco P!lic

Site)to)Site (PN&

8/20/2019 Capitulo 7_2 (2).pptx

5/36

Chapter 79© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco P!lic

Remote Acce&& (PN&

8/20/2019 Capitulo 7_2 (2).pptx

6/36

Chapter 7© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco P!lic

IP&ec Tec!nolo%ie&

IPsec P8s provide t#o signi6icant !ene6its(

) 3ncryption

) 3ncapslation

IPsec encryption provides three ma=or services(

) Con6identiality

) Integrity

)  Athentication

8/20/2019 Capitulo 7_2 (2).pptx

7/36Chapter 7

7© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco P!lic

IP&ec Encap&ulation

IPsec is capa!le o6 tnneling pac$ets sing an additional

encapslation.

3SP>eader 

3SP"railer 

3SP Athentication

8e# IP>eader 

?riginal IP>eader 

"CP &ata

 Athenticated

3ncrypted

8/20/2019 Capitulo 7_2 (2).pptx

8/36Chapter 7

-© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco P!lic

IP&ec Encap&ulation Example

"he e@ample displays ho# a pac$et is encapslated.

ranc! H*

Internet

+,"#+-.#+#/ 0"1 +/#+/#+/#/ 0"1

S/0/0+2a/0/

.22

.1.12a/0/

"/,#+-3#"//#"1/ 0",

.21

S/0/0+

"/,#+-3#"//#""1 0",

.22

.229

ISP

.10.10

4ri%inal IP Header 

Sorce IP( 12.1-.1.10&estination( 10.10.10.10

"CP &ata

4ri%inal IP Header 

Sorce IP( 12.1-.1.10&estination( 10.10.10.10

"CP &ata

IP&ec (PN

New IP Header Sorce( 20.19.200.22&estination( 20.19.200.22

3SP>eader 

4ri%inal IP Header Sorce IP( 12.1-.1.10&estination( 10.10.10.10

"CP &ata3SP"railer 

3SP Athentication

8/20/2019 Capitulo 7_2 (2).pptx

9/36Chapter 7

© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco P!lic

IP&ec Site)to)Site (PN Example

"he ranch roter has !een con6igred to spport an IPsec P8 #hen

connecting to the >B site. "he prpose o6 the IPsec P8 lin$ is to serve as a !ac$p lin$ in case

the private A8 lin$ 6ails.

) "he long;term goal is to decommission the A8 lin$ completely and se only the P8

connection to commnicate !et#een the !ranch o66ice and the head

8/20/2019 Capitulo 7_2 (2).pptx

10/36Chapter 7

10© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco P!lic

Step& to Con$i%urin% an IP&ec (PN

1. Con6igre the initial $ey 4ISAD%P policy5 details.

2. Con6igre the IPsec details.

. Con6igre the crypto AC'.

. Con6igre the P8 tnnel in6ormation.

9.  Apply the crypto map.

Internet

ranc! H*

+,"#+-.#+#/ 0"1 +/#+/#+/#/ 0"1

S/0/0+2a/0/

.22

.1 .1

2a/0/

"/,#+-3#"//#""1 0",

.21

S/0/0+

"/,#+-3#"//#"1/ 0",

.229

.22

ISP

Email Server +/#+/#+/#"5.

420.19.200.2-5

NAT Pool

20.19.200.2 –20.19.200.27 /2

ranc! Server +,"#+-.#+#"31

420.19.200.295

NAT Pool

20.19.200.2 –20.19.200.29/2

IP&ec (PN

8/20/2019 Capitulo 7_2 (2).pptx

11/36Chapter 7

11© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco P!lic

IP&ec (PN Component&

ISA6MP Polic7

) Contains athentication, encryption and the hashing methodcommands that are 6irst sed to negotiate and e@change credentials

#ith a P8 peer.

IP&ec Detail&

) Identi6ies an accepta!le com!ination o6 secrity protocols, algorithms,and other settings.

Cr7pto ACL

) Is an e@tended IP AC' that identi6ies the tra66ic to !e protected.

)  A permit statement reslts in the tra66ic !eing encrypted, #hile a deny

statement sends tra66ic ot in clear te@t.

) oth P8 peers mst have reciprocating AC's.

8/20/2019 Capitulo 7_2 (2).pptx

12/36Chapter 7

12© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco P!lic

8RE 4verview

"nneling protocol developed !y Cisco.

Can encapslate a #ide variety o6 net#or$ layer protocolpac$ets inside IP tnnels.

) :*3 is commonly implemented #ith IPsec to spport I:Ps.

:*3 is =st an encapslation protocol.

) y de6alt, the tra66ic leaves in clear te@t.

"here6ore , :*3 tnnels do not provide encryption services.

) IPsec mst also !e con6igred to encrypt the roting tra66ic.

Note'

) IPsec #as designed to tnnel IP only 4no mltiprotocol spport5

) ?lder I?S versions do not spport IP mlticast over IPsec

8/20/2019 Capitulo 7_2 (2).pptx

13/36

Chapter 71© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco P!lic

Sendin% I8P Tra$$ic 4ver IP&ec

*oting protocols are encapslated #ith a :*3 header.

"he pac$et encapslated !y :*3 is then encapslated #ithIPsec.

"here6ore, IPsec encrypts the :*3 pac$et #hich contains

the roting pdate.

IPsecCrypto

%ap8RE Tunnel IPsec 3ncrypted "ra66ic*oting Protocol pdates

8/20/2019 Capitulo 7_2 (2).pptx

14/36

Chapter 71© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco P!lic

Tran&port9 Carrier9 Pa&&en%er Protocol&

In or scenario, the payload o6 :*3 pac$ets #ill !e 3I:*P

roting pdates and 'A8;to;'A8 corporate tra66ic.) "he :*3 pac$et #ill then !e encapslated inside an IPsec pac$et.

"here6ore, IPsec is the Etransport protocol,F and :*3 is the

Ecarrier protocolF sed to carry other Epassenger protocols,F

sch as IP !roadcast or IP mlticast, and non;IP protocols

IP&ec48e# IP >eader5

8RE Network Packet4?riginal IP header and &ata5

"ransport

Protocol

Carrier 

Protocol

Passenger 

Protocol

8/20/2019 Capitulo 7_2 (2).pptx

15/36

Chapter 719© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco P!lic

Plannin% $or Mo:ile

;orkerImplementation&

8/20/2019 Capitulo 7_2 (2).pptx

16/36

Chapter 71© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco P!lic

Connectin% a Mo:ile ;orker 

"here are many challenges to connecting an increasingly

mo!ile #or$6orce. %o!ile #or$ers have !ecome po#er sers #ho may not

even need a 6ll;time o66ice !t re

8/20/2019 Capitulo 7_2 (2).pptx

17/36

Chapter 717© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco P!lic

Enterpri&e Mo:ile ;orker Con&ideration&

In addition to the reglar email and Internet spport, mo!ile

#or$ers are increasingly re

8/20/2019 Capitulo 7_2 (2).pptx

18/36

Chapter 71-© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco P!lic

Connectin% Mo:ile ;orker&

8/20/2019 Capitulo 7_2 (2).pptx

19/36

Chapter 71© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco P!lic

Enterpri&e Mo:ile ;orker Con&ideration&

?ther mo!ile #or$er considerations inclde(

) Secrity)  Athentication

) IPsec and Secre Soc$ets 'ayer 4SS'5 P8s

) Bality o6 Service 4BoS5(

) %anagement

8/20/2019 Capitulo 7_2 (2).pptx

20/36

Chapter 720© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco P!lic

Enterpri&e Mo:ile ;orker Con&ideration&

Securit7' 

) Secrity options sa6egard the corporate net#or$ and closengarded !ac$ doors.

) &eploying 6ire#all, intrsion prevention, and *' 6iltering services

meets most secrity needs.

Aut!entication' )  Athentication de6ines #ho gains access to resorces.

) Identity;!ased net#or$ services sing athentication, athoriGation,

and acconting 4AAA5 servers, -02.1H port;!ased access control,

Cisco secrity, and trst agents are sed.

8/20/2019 Capitulo 7_2 (2).pptx

21/36

Chapter 721© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco P!lic

Enterpri&e Mo:ile ;orker Con&ideration&

IP&ec and Secure Socket& La7er

8/20/2019 Capitulo 7_2 (2).pptx

22/36

Chapter 722© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco P!lic

Connectin% Mo:ile ;orker&

"he choice o6 implementation #ill a66ect the roting soltion.

Remote)Acce&& (PN sers #ill se a porta!le device 4i.e.,

laptop5 to initiate a P8 connection sing either a P8 client

so6t#are or an SS' Internet !ro#ser connection.

S4H4 wit! a DSL Router

is an e@ample o6 a

!siness;ready mo!ile#or$er.

"he roters maintain an

al#ays;on site;to;site IPsec

P8 connection and the

P8 is completely hidden

to the ser.

8/20/2019 Capitulo 7_2 (2).pptx

23/36

Chapter 72© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco P!lic

Component& $or Mo:ile ;orker&

 A mo!ile #or$er soltion sally has three ma=or components(

) Components located at the mo!ile #or$ers remote site

) Corporate components located at the central site

) ?ptional IP telephony and other services.

) %ay !e em!edded into the ser laptop via so6t phones and other applications.

8/20/2019 Capitulo 7_2 (2).pptx

24/36

Chapter 72© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco P!lic

u&ine&&)Read7 (PN Component&

Ci&co Ea&7 (PN Server '

)  A Cisco I?S roter or Cisco PIH / ASA +ire#all con6igred as the P8headend device in site;to;site or remote;access P8s.

 And either(

) Ci&co Ea&7 (PN Remote'

)  A Cisco I?S roter or Cisco PIH / ASA +ire#all acting as a remote P8client.

) Ci&co Ea&7 (PN Client

)  An application spported on a PC sed to access a Cisco P8 server.

8/20/2019 Capitulo 7_2 (2).pptx

25/36

Chapter 729© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco P!lic

Routin% Tra$$ic to

t!e Mo:ile;orker 

8/20/2019 Capitulo 7_2 (2).pptx

26/36

Chapter 72© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco P!lic

Ea&7 (PN Server 

"he Cisco 3asy P8 server 6eatre is sally con6igred on

the headend P8 roter 4typically the edge roter5.) It concentrates the !l$ o6 the remote;end con6igration, #hich

EpshesF the policies to the client at the moment o6 connection.

 At the remote end, the device sed !y the mo!ile #or$er is

$no#n as the 3asy P8 remote or 3asy P8 client. "he 3asy P8 remote device starts an IPsec P8 tnnel to

connect to the 3asy P8 server across the p!lic net#or$.

8/20/2019 Capitulo 7_2 (2).pptx

27/36

Chapter 727© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco P!lic

(PN Headend Router Implementation Plan

+# Allow IP&ec tra$$ic

2. &e6ine an address pool 6or connecting clients.

. Provide roting services 6or P8 s!nets.

. "ne 8A" 6or P8 tra66ic 6lo#s.

9. eri6y IPsec P8 con6igration

Note'

) +or simplicity reasons, the scenario sed in the 6ollo#ing steps are

loosely connected e@amples

) "here6ore, the net#or$ and IP addressing may vary !et#een steps.

8/20/2019 Capitulo 7_2 (2).pptx

28/36

Chapter 72-© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco P!lic

Remote Acce&& (PN& > SSL (PN

8/20/2019 Capitulo 7_2 (2).pptx

29/36

Chapter 72© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco P!lic

Remote Acce&& (PN& > Ci&co (PN Client

VPN Client | User Authentication for “R1”

R1 R1-vpn-cluster.cisco.com IPSec/UDP

8/20/2019 Capitulo 7_2 (2).pptx

30/36

Chapter 70© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco P!lic

Remote Acce&& (PN& > Ci&co (PN Client

R+

8/20/2019 Capitulo 7_2 (2).pptx

31/36

Chapter 71© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco P!lic

(eri$7 Remote Acce&& (PN& Connectivit7

8/20/2019 Capitulo 7_2 (2).pptx

32/36

Chapter 72© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco P!lic

C!apter ? Summar7

"he chapter 6ocsed on the 6ollo#ing topics(

Planning the !ranch o66ice implementation AnalyGing services in the !ranch o66ice

Planning 6or mo!ile #or$er implementations

*oting tra66ic to the mo!ile #or$er 

8/20/2019 Capitulo 7_2 (2).pptx

33/36

Chapter 7© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco P!lic

C!apter ? La: La: ?)+Con$i%ure Routin% 2acilitie& to t!e ranc! 4$$ice

8/20/2019 Capitulo 7_2 (2).pptx

34/36

Chapter 7© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco P!lic

Re&ource&

Cisco I?S So6t#are *eleases 12. %ainline

) http(//###.cisco.com/en/S/prodcts/ps90/tsdJprodctsJspportJ seriesJhome.html 

"he Cisco I?S Command *e6erence

) http(//###.cisco.com/en/S/prodcts/ps90/prodJcommandJre6erenc

eJlist.html 

http://www.cisco.com/en/US/products/ps6350/tsd_products_support_series_home.htmlhttp://www.cisco.com/en/US/products/ps6350/tsd_products_support_series_home.htmlhttp://www.cisco.com/en/US/products/ps6350/prod_command_reference_list.htmlhttp://www.cisco.com/en/US/products/ps6350/prod_command_reference_list.htmlhttp://www.cisco.com/en/US/products/ps6350/prod_command_reference_list.htmlhttp://www.cisco.com/en/US/products/ps6350/prod_command_reference_list.htmlhttp://www.cisco.com/en/US/products/ps6350/tsd_products_support_series_home.htmlhttp://www.cisco.com/en/US/products/ps6350/tsd_products_support_series_home.html

8/20/2019 Capitulo 7_2 (2).pptx

35/36

Chapter 79© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco P!lic

La: ?)+ Con$i%ure Routin% 2acilitie& to t!e ranc!

4$$ice

C!apter ? La:&

8/20/2019 Capitulo 7_2 (2).pptx

36/36