Date post: | 17-Jan-2018 |
Category: |
Documents |
Upload: | lawrence-gallagher |
View: | 218 times |
Download: | 0 times |
Lesson 12
Configuring Security Appliance Remote Access Using Cisco Easy VPN
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-1
Introduction to Cisco Easy VPN
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-2
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-3
Cisco Easy VPN
Cisco IOS > 12.2(8)T Router
PIX Firewall/ASA > 6.2
Cisco VPN 3000 > 3.11(> 3.5.1 recommended)
Cisco VPN Client > 3.x
Cisco 800 Series Router
Cisco 900 Series Router
Cisco 1700 Series Router
Cisco VPN 3002 Hardware Client
Cisco PIX Firewall 501 and 506
Easy VPN ServersEasy VPN Remote
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-4
Features of Cisco Easy VPN Server
• Server support for Cisco Easy VPN Remote Clients was introduced with the release of the Cisco PIX Firewall Software v6.2.
• It allows remote end users to communicate using IPSec with supported security appliance VPN gateways.
• Centrally managed IPSec policies are pushed to the clients by the server, minimizing configuration by the end users.
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-5
Supported Easy VPN Servers
Cisco IOS > 12.2(8)T router
PIX Firewall/ASA > 6.2
Cisco VPN 3000 > 3.11(> 3.5.1 recommended)
Cisco 900 Series Router
Cisco 1700 Series Router
Cisco VPN Client > 3.xCisco 800 Series Router
Cisco VPN 3002 Hardware Client
Easy VPN Servers
Cisco PIX Firewall 501 and 506
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-6
Supported Easy VPN Remote Clients
• Cisco VPN Software Client > 3.x• Cisco VPN 3002 Hardware Client > 3.x• Cisco PIX Firewall 501 and 506 VPN Client > 6.2• Cisco Easy VPN Remote Router Clients
– Cisco 800 Series– Cisco 900 Series– Cisco 1700 Series
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-7
Easy VPN Remote Modes of Operation
Easy VPN Remote supports two modes of operation: • Client mode
– Specifies that NAT and PAT be used.– Client automatically configures the NAT and PAT
translations and the ACLs that are needed to implement the VPN tunnel.
– Supports split tunneling.• Network extension mode
– Specifies that the hosts at the client end of the VPN connection use fully routable IP addresses.
– PAT is not used.– Supports split tunneling.
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-8
Easy VPN Remote Client Mode
PIX Firewall 501/506(Easy VPN Remote)
PIX Firewall 525 (Easy VPN Server)
192.168.1.2
10.0.0.0/24
VPN Tunnel
10.0.1.2
192.168.1.3
192.168.1.1
PAT
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-9
Easy VPN Remote Network Extension Mode
Cisco 1710 Router (Easy VPN Remote)
12.2(8)YJ
PIX Firewall 525 (Easy VPN Server)
172.16.10.5
172.16.10.6
172.16.10.4
VPN Tunnel
VPN Tunnel
PIX Firewall 501(Easy VPN Remote)
172.16.20.5
172.16.20.6
10.0.0.0/24
Overview of Cisco VPN Client
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-10
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-11
Cisco VPN Software Client for Windows
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-12
Cisco VPN Client Features and Benefits
Cisco VPN Client provides the following features and benefits:• Intelligent peer availability detection• SCEP• Data compression (LZS)• Command-line options for connecting, disconnecting, and
connection status• Configuration file with option locking• Support for Microsoft network login (all platforms)• DNS, WINS, and IP address assignment• Load balancing and backup server support• Centrally controlled policies• Integrated personal firewall (stateful firewall): Zone Labs technology (Windows only)• Personal firewall enforcement: Zone Alarm, BlackICE (Windows only)
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-13
Cisco VPN Client Specifications
• Supported tunneling protocols• Supported encryption and authentication• Supported key management techniques• Supported data compression technique• Digital certificate support• Authentication methodologies• Profile management• Policy management
How Cisco Easy VPN Works
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-14
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-15
Easy VPN Remote Connection Process
• Step 1: The VPN Client initiates the IKE Phase 1 process.
• Step 2: The VPN Client negotiates an IKE SA.• Step 3: The Easy VPN Server accepts the
SA proposal.• Step 4: The Easy VPN Server initiates a
username/password challenge.• Step 5: The mode configuration process
is initiated.• Step 6: IKE quick mode completes the connection.
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-16
Step 1: Cisco VPN Client Initiates IKE Phase 1 Process
• Using pre-shared keys? Initiate AM.• Using digital certificates? Initiate MM.
Remote PC with Easy VPN
Remote Client Security Appliance
Easy VPN Server
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-17
Step 2: Cisco VPN Client Negotiates an IKE SA
• The Cisco VPN Client attempts to establish an SA between peer IP addresses by sending multiple IKE proposals to the Easy VPN Server.
• To reduce manual configuration on the VPN Client, these IKE proposals include several combinations of the following:– Encryption and hash algorithms– Authentication methods– DH group sizes
Remote PC with Easy VPN
Remote Client Security Appliance Easy VPN ServerProposal 1, Proposal 2, Proposal 3
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-18
Step 3: Easy VPN Server Accepts SA Proposal
• The Easy VPN Server searches for a match:– The first proposal to match the server’s list is accepted
(highest priority match).– The most secure proposals are always listed at the top of
the Easy VPN Server’s proposal list (highest priority).• IKE SA is successfully established. • Device authentication ends and user authentication begins.
Remote PC with Easy VPN
Remote Client
Proposal 1 Proposal checking
finds proposal 1
match.
Security ApplianceEasy VPN Server
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-19
Step 4: Easy VPN Server Initiates a Username/Password Challenge
• If the Easy VPN Server is configured for Xauth, the VPN Client waits for a username/password challenge:– The user enters a username/password combination.– The username/password information is checked
against authentication entities.• All Easy VPN Servers should be configured to enforce
user authentication.
Remote PC with Easy VPN
Remote Client
Username/PasswordAAA
checking
Username/Password Challenge
Security Appliance
Easy VPN Server
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-20
Step 5: Mode Configuration Process Is Initiated
• If the Easy VPN Server indicates successful authentication, the VPN Client requests the remaining configuration parameters from the Easy VPN Server:– Mode configuration starts.– The remaining system parameters (IP address, DNS, split
tunneling information, and so on) are downloaded to the VPN Client.
• Remember that the IP address is the only required parameter in a group profile; all other parameters are optional.
Remote PC with Easy VPN
Remote Client
Client Requests Parameters
System Parameters via Mode Configuration
Security Appliance
Easy VPN Server
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-21
Step 6: IKE Quick Mode Completes Connection
• After the configuration parameters have been successfully received by the VPN Client, IKE quick mode is initiated to negotiate IPSec SA establishment.
• After IPSec SA establishment, the VPN connection is complete.
Remote PC with Easy VPN
Remote Client Quick Mode IPSec SA
Establishment
VPN Tunnel
Security Appliance
Easy VPN Server
Configuring Users and Groups
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-22
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-23
Group Policy
EngineeringPolicyPush
to Client
10.0.0.0 /24
10.0.1.0/24
Mktg
Eng
Internet
Engineering
Marketing
Training
MarketingPolicyTrainingPolicy
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-24
Base Group:Corporate
Customer Service/Base/Service
MIS/Base/Sales
Finance/Base/Finance
VP ofMIS
Groups:Departments
Users:Individuals
VP ofFinance
Groups and Users
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-25
group-policy Command
• To create or edit a group policy, use the group-policy command in global configuration mode.
• A default group policy, named DfltGrpPolicy, always exists on the security appliance.
firewall(config)#
group-policy {name internal [from group-policy name]}
fw1(config)# group-policy training internal
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-26
group-policy attributes Command
• Use the group-policy attributes command in global configuration mode to enter the group-policy attributes submode.
firewall(config)#
group-policy {name} attributes
fw1(config)# group-policy training attributes
fw1(config-group-policy)#
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-27
Users and User Attributes
• To add a user to the security appliance database, enter the username command in global configuration mode.
firewall(config)#
username {name} {nopassword | password password [encrypted]} [privilege priv_level]}
fw1(config)# username user1 password 12345678
fw1(config)# username user1 attributes
fw1(config-username)#
firewall(config)#
username {name} attributes
Configuring the Easy VPN Server for Extended Authentication
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-28
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-29
Easy VPN Server General Configuration Tasks
The following general tasks are used to configure an Easy VPN Server on a security appliance:• Task 1: Create ISAKMP policy for remote VPN Client access.• Task 2: Create IP address pool.• Task 3: Define group policy for mode configuration push.• Task 4: Create transform set.• Task 5: Create dynamic crypto map.• Task 6: Assign dynamic crypto map to static crypto map.• Task 7: Apply crypto map to security appliance interface.• Task 8: Configure Xauth.• Task 9: Configure NAT and NAT 0.• Task 10: Enable IKE DPD.
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-30
Task 1: Create ISAKMP Policy for Remote VPN Client Access
fw1(config)# isakmp enable outside
fw1(config)# isakmp policy 20 authentication pre-share
fw1(config)# isakmp policy 20 encryption des
fw1(config)# isakmp policy 20 hash sha
fw1(config)# isakmp policy 20 group 2
Remote Client
192.168.1.5
Server10.0.0.15Internet
InsideOutside172.26.26.1
ISAKMPPre-Share
DESSHA
Group 2
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-31
Task 2: Create IP Address Pool
firewall(config)#
ip local pool poolname first-address—last-address [mask mask]
fw1(config)# ip local pool MYPOOL 10.0.11.1-10.0.11.254
• Creates an optional local address pool if the remote client is using the remote server as an external DHCP server
10.0.11.1-10.0.11.254
vpnpool
Remote Client
192.168.1.5
Server10.0.0.15Internet
InsideOutside172.26.26.1
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-32
Task 3: Define Group Policy for Mode Configuration Push
Task 3 contains the following steps:• Step 1: Set the tunnel group type.• Step 2: Configure the IKE pre-shared key. • Step 3: Specify the local IP address pool.• Step 4: Configure the group policy type.• Step 5: Enter the group-policy attributes submode.• Step 6: Specify the DNS servers.• Step 7: Specify the WINS servers.• Step 8: Specify the DNS domain.• Step 9: Specify idle timeout.
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-33
Step 1: Set the Tunnel Group Type
firewall(config)#
tunnel-group name type type
fw1(config)# tunnel-group training type ipsec-ra
VPN GroupPre-Share
DNS ServerWINS ServerDNS DomainAddress Pool
Idle Time
Pushto Client
• Names the tunnel group• Defines the type of VPN connection that is to be established
Remote Client
Server10.0.0.15Internet
InsideOutside172.26.26.1
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-34
Step 2: Configure IKE Pre-Shared Key
Pushto Client
tunnel-group name [general-attributes | ipsec-attributes]
firewall(config)#
• Enters tunnel-group ipsec-attributes submode to configure the key
pre-shared-key key
firewall(config-ipsec)#
• Associates a pre-shared key with the connection policy
fw1(config)# tunnel-group training ipsec-attributesfw1(config-ipsec)# pre-shared-key cisco123
Remote Client
Server10.0.0.15Internet
InsideOutside172.26.26.1
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-35
Step 3: Specify Local IP Address Pool
tunnel-group name [general-attributes | ipsec-attributes]firewall(config)#
• Enters tunnel-group general-attributes submode to configure the address pool
address-pool [interface name] address_pool1 [...address_pool6]
firewall(config-general)#
• Associates an address pool with the connection policy
fw1(config)# tunnel-group training general-attributesfw1(config-general)# address-pool MYPOOL
Pushto Client
Remote Client
Server10.0.0.15Internet
InsideOutside172.26.26.1
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-36
Step 4: Configure the Group Policy Type
firewall(config)#
group-policy {name internal [from group-policy name]}
fw1(config)# group-policy training internal
VPN GroupPre-Share
DNS ServerWINS ServerDNS DomainAddress Pool
Idle Time
Pushto Client
Remote Client
Server10.0.0.15Internet
InsideOutside172.26.26.1
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-37
Step 5: Enter the Group-Policy Attributes Subcommand Mode
firewall(config)#
group-policy {name} attributes
fw1(config)# group-policy training attributes
fw1(config-group-policy)#
VPN GroupPre-Share
DNS ServerWINS ServerDNS DomainAddress Pool
Idle Time
Pushto Client
Remote Client
Server10.0.0.15Internet
InsideOutside172.26.26.1
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-38
Step 6: Specify DNS Servers
firewall(config-group-policy)#
dns-server {value ip_address [ip_address] | none}
fw1(config-group-policy)# dns-server value 10.0.0.15
VPN GroupPre-Share
DNS ServerWINS ServerDNS DomainAddress Pool
Idle Time
Pushto Client
Remote Client
Server10.0.0.15Internet
InsideOutside172.26.26.1
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-39
Step 7: Specify WINS Servers
VPN GroupPre-Share
DNS ServerWINS ServerDNS DomainAddress Pool
Idle Time
Pushto Client
Remote Client
Server10.0.0.15Internet
InsideOutside172.26.26.1
firewall(config-group-policy)#
wins-server value {ip_address} [ip_address] | none
fw1(config-group-policy)# wins-server value 10.0.0.15
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-40
Step 8: Specify DNS Domain
VPN GroupPre-Share
DNS ServerWINS ServerDNS DomainAddress Pool
Idle Time
Pushto Client
Remote Client
Server10.0.0.15
Cisco.comInternet
InsideOutside172.26.26.1
firewall(config-group-policy)#
default-domain {value domain-name | none}
fw1(config-group-policy)# default-domain value cisco.com
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-41
Step 9: Specify Idle Timeout
VPN GroupPre-Share
DNS ServerWINS ServerDNS DomainAddress Pool
Idle Time
Pushto Client
Remote Client
Server10.0.0.15Internet
InsideOutside172.26.26.1
firewall(config-group-policy)#
vpn-idle-timeout {minutes | none}
fw1(config-group-policy)# vpn-idle-timeout 600
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-42
Task 4: Create Transform Set
firewall(config)#
crypto ipsec transform-set transform-set-name transform1 [transform2]]
fw1(config)# crypto ipsec transform-set remoteuser1 esp-des esp-sha-hmac
192.168.1.5
Transform SetDES
SHA-HMAC
Remote Client
Server10.0.0.15Internet
InsideOutside172.26.26.1
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-43
Task 5: Create Dynamic Crypto Map
firewall(config)#
crypto dynamic-map dynamic-map-name dynamic-seq-num set transform-set transform-set-name1 [… transform-set-name9]
fw1(config)# crypto dynamic-map rmt-dyna-map 10 set transform-set remoteuser1
192.168.1.5
Remote Client
Server10.0.0.15Internet
InsideOutside172.26.26.1
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-44
Task 6: Assign Dynamic Crypto Map to Static Crypto Map
firewall(config)#
crypto map map-name seq-num ipsec-isakmp dynamic dynamic-map-name
fw1(config)# crypto map rmt-user-map 10 ipsec-isakmp dynamic rmt-dyna-map
192.168.1.5
Remote Client
Server10.0.0.15Internet
InsideOutside172.26.26.1
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-45
Task 7: Apply Dynamic Crypto Map to Security Appliance Outside Interface
fw1(config)# crypto map rmt-user-map interface outside
firewall(config)#
crypto map map-name interface interface-name
192.168.1.5
Remote Client
Server10.0.0.15Internet
InsideOutside172.26.26.1
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-46
Task 8: Configure Xauth
Task 8 contains the following steps:• Step 1: Enable AAA login authentication.• Step 2: Define AAA server IP address and
encryption key.• Step 3: Enable IKE Xauth for the tunnel group.
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-47
Step 1: Enable AAA Login Authentication
firewall(config)#
aaa-server server-tag protocol server-protocol
fw1(config)# aaa-server mytacacs protocol tacacs+
fw1(config-aaa-server-group)#
192.168.1.5
Remote ClientTACACS+
Server10.0.0.15Internet
InsideOutside172.26.26.1
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-48
Step 2: Define AAA Server IP Address and Encryption Key
firewall(config)#
aaa-server server-tag [(interface-name)] host server-ip [key] [timeout seconds]
fw1(config)# aaa-server mytacacs (inside) host 10.0.0.15 cisco123 timeout 5
fw1(config-aaa-server-host)#
192.168.1.5
Remote ClientTACACS+
Server10.0.0.15Internet
InsideOutside172.26.26.1
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-49
Step 3: Enable IKE Xauth for Tunnel Group
firewall(config-general)#
authentication-server-group [(interface name)] server group [LOCAL | NONE]
fw1(config)# tunnel-group training general-attributes
fw1(config-general)# authentication-server-group mytacacs
Xauth192.168.1.5
Remote ClientTACACS+
Server10.0.0.15Internet
InsideOutside172.26.26.1
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-50
Task 9: Configure NAT and NAT 0
• Matches ACL: Encrypted data and no translation (NAT 0)• Does not match ACL: Clear text and translation (PAT)
fw1(config)# access-list 101 permit ip 10.0.0.0 255.255.255.0 10.0.11.0 255.255.255.0
fw1(config)# nat (inside) 0 access-list 101fw1(config)# nat (inside) 1 0.0.0.0 0.0.0.0 0 0fw1(config)# global (outside) 1 interface
192.168.1.5
Encrypted — No Translation
Clear Text — Translation
Remote ClientTACACS+
Server10.0.0.15Internet
InsideOutside10.0.11.0 10.0.0.0
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-51
Task 10: Enable IKE DPD
1) DPD Send: Are you there?2) DPD Reply: Yes, I am here.
isakmp keepalive [threshold seconds] [retry seconds] [disable]
firewall(config-ipsec)#
• Configures the IKE DPD parameters
fw1(config)# tunnel-group training ipsec-attributesfw1(config-ipsec)# isakmp keepalive threshold 30 retry 10
Remote ClientTACACS+
Server10.0.0.15Internet
InsideOutside10.0.11.0 10.0.0.0
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-52
Easy VPN Server Configuration Summary
PIX Version 7.0(1)hostname fw1!--- Configure Phase 1 Internet Security Association!-- and Key Management Protocol (ISAKMP) parameters.isakmp enable outsideisakmp identity addressisakmp policy 10 authentication pre-shareisakmp policy 10 encryption aesisakmp policy 10 hash md5isakmp policy 10 group 2isakmp policy 10 lifetime 86400
!--- Configure IPSec transform set and dynamic crypto map.crypto ipsec transform-set myset esp-aes esp-md5-hmaccrypto dynamic-map rmt-dyna-map 10 set transform-set mysetcrypto map rmt-user-map 10 ipsec-isakmp dynamic rmt-dyna-map!--- Apply crypto map to the outside interface.crypto map rmt-user-map interface outside
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-53
Easy VPN Server Configuration Summary (Cont.)
!--- Configure remote client pool of IP addressesip local pool ippool 10.0.11.1-10.0.11.254!--- Configure group policy parameters.group-policy training internal group-policy training attributes wins-server value 10.0.0.15 dns-server value 10.0.0.15 vpn-idle-timeout 600 default-domain value cisco.com !--- Configure tunnel group policy parameters.tunnel-group training type ipsec-ratunnel-group training general-attributes address-pool ippool authentication-server-group MYTACACS defaultgroup-policy trainingtunnel-group training ipsec-attributes pre-shared-key training isakmp keepalive threshold 30 retry 10
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-54
Easy VPN Server Configuration Summary (Cont.)
!--- Configure AAA-Server parameters.aaa-server MYTACACS protocol tacacs+aaa-server MYTACACS host 10.0.0.15 timeout 5 key secretkey!--- Specify "nonat" access list.access-list 101 permit ip 10.0.0.0 255.255.255.0 10.0.11.0 255.255.255.0
!--- Configure Network Address Translation (NAT)/!--- Port Address Translation (PAT) for regular traffic,!--- as well as NAT for IPSec traffic.nat (inside) 0 access-list 101nat (inside) 1 0.0.0.0 0.0.0.0 0 0global (outside) 1 interface
Configure Security Appliance Hub-and-Spoke VPNs
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-55
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-56
Benefits of Hub-and-Spoke VPNs
Internet
Telecommuter—Spoke
Central site
Server—Spoke
Remote Site—Spoke
Mobile—Spoke
• Provide support for small sites with small LAN and low-end PIXs because only one IPSec tunnel is needed at the spoke routers.
• Scale the network through scaling of the network at specific hub point. • Only the hub needs to have a static and global IP address. All the spoke PIXs can have
DHCP-based dynamic IP address, with the hub configured with dynamic crypto map. • Very easy to add sites and security appliances, as no changes to the existing spoke or hub
security appliance are required.
Hub
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-57
Limitations of Benefits of Hub-and-Spoke VPNs
• IPSec performance is aggregated at the hub. • All spoke-spoke packets are decrypted and reencrypted at the hub. • When using hub-and-spoke with dynamic crypto maps, the IPSec
encryption tunnel must be initiated by the spoke routers.
Internet
Telecommuter—Spoke
Central site
Server—Spoke
Remote Site—Spoke
Mobile—SpokeHub
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-58
Configure Hub-and-Spoke VPN
• VPN spokes can be terminated on a single interface.
• Traffic from the same security level can also be permitted.
same-security-traffic permit [inter-interface | intra-interface]
firewall(config)#
• Permits communication between different interfaces with the same security level or between VPN peers connected to the same interface
fw1(config)# same-security-traffic permit intra-interface
Internet
Telecommuter—Spoke
Server—Spoke
Remote Site—Spoke
Mobile—Spoke
Hub10.0.0.0
40.0.0.0
30.0.0.0
50.0.0.0
Cisco VPN Client Manual Configuration Tasks
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-59
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-60
Cisco VPN Client Manual Configuration Tasks
The following general tasks are used to configure Cisco VPN Client:• Task 1: Install Cisco VPN Client.• Task 2: Create a new connection entry.• Task 3: (Optional) Configure Cisco VPN Client
transport properties.• Task 4: (Optional) Configure Cisco VPN Client
backup servers properties.• Task 5: (Optional) Configure Dialup properties.
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-61
Task 1: Install Cisco VPN Client
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-62
Task 2: Create New Connection Entry
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-63
Task 3: (Optional) Configure Cisco VPN Client Transport Properties
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-64
Task 4: (Optional) Configure Cisco VPN Client Backup Servers Properties
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-65
Task 5: (Optional) Configure Dialup Properties
Working with the Cisco VPN Client
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-66
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-67
Cisco VPN Client Program Menu
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-68
Virtual Adapter
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-69
Setting MTU Size
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-70
Cisco VPN Client Statistics Menu
© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—12-71
Summary
• Cisco Easy VPN features greatly enhance deployment of remote access solutions for Cisco IOS software customers.
• The Easy VPN Server adds several new commands to Cisco PIX Firewall Security Appliance Software v6.3 and later versions.
• The Cisco VPN Client enables software-based VPN remote access.